Blog Post

Azure Integration Services Blog
2 MIN READ

Access Storage Accounts behind Firewalls from Logic Apps within the same region

talsaifi's avatar
talsaifi
Icon for Microsoft rankMicrosoft
Feb 19, 2021

Storage accounts behind firewalls will not be accessible by Logic apps within the same region using Azure blob storage connector, because we can not add firewall rules to give access for the connector outgoing IP addresses; please check the following link for details: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-storage-accounts-behind-firewalls

 

Azure blob storage connector will be returning 403 error, as shown below:

 

As a workaround, we use the HTTP action to call storage account REST API's using managed identity; to do so, please follow the steps below:

 

  1. Enable your logic app managed identity:
    1. Go to your logic app.
    2. Go to Settings -> Identity.
    3. Select System assigned.
    4. Select Status -> On.
    5. Click Save.                                                                                                                                   
  2. In your storage account, add role assignment for your logic app:
    1. Go to your storage account.
    2. Click on access Control (IAM).
    3. Click on Role assignments tab.
    4. Click Add and select Add role assignment:
      1. From the Role dropdown list, select Storage Blob Data Contributor.
      2. From Assign access to dropdown list, select Logic App.
      3. Under the Select field, type the name of your logic app to search for it and select it once it’s found, it will appear under the selected members list.
      4. Click Save.                                                                                                                         
  3. In your storage account, make sure that the exception to allow trusted Microsoft services to access this storage account is selected:
    1. Go to your storage account.
    2. Go to Settings -> Networking.
    3. Select Firewalls and virtual networks.
    4. Scroll down to Exceptions.
    5. Select Allow trusted Microsoft services to access this storage account.
    6. Click Save.                                                                                                                               
  4. Connect your logic app to storage account using HTTP action to call storage account REST API:
    1. Go to your logic app
    2. Click on View in logic apps designer
    3. Add an action
    4. Search for and select HTTP action:
      1. From method dropdown list, select a method (GET, PUT, etc.).
      2. Enter the URI for the folder under your storage account (https://your account name.blob.core.windows.net/container name/file Name)
      3. Under headers, add the following key value pairs:
        1. Key: x-ms-blob-type, Value: BlockBlob.
        2. Key: x-ms-version, Value: 2019-07-07.
      4. In the body field, enter or select the variable or data token that holds your file content, in case of using PUT method.
      5. From add new parameter, select authentication:
        1. From Authentication type dropdown list, select Managed Identity.
        2. From Managed Identity dropdown list, select System Assigned Managed Identity.
        3. For audience, enter https://storage.azure.com                                                        
Updated Feb 19, 2021
Version 5.0
logic apps

17 Comments

Sort By
Show More
  • AsheN0ne's avatar
    AsheN0ne
    Copper Contributor
    Jul 15, 2021

    Hi talsaifi Thank you for the prompt reply!!

     

    So, I have the logic app and the storage account on the same region 
    Did followed the steps above:
    1- I have assigned Storage Table Data Contributor, Storage Table Data Reader roles and also added outgoing IP addresses to the storage account
    2- And I am trying to Insert Entity REST API operation for Table Storage which looks like below

     

    and included the below headers

     

    {
  "Accept": "application/json",
  "Content-Type": "application/json",
  "DataServiceVersion": "3.0;NetFx",
  "MaxDataServiceVersion": "3.0;NetFx",
  "x-ms-date": "Thu, 15 Jul 2021 19:10:40 GMT",
  "x-ms-version": "2019-07-07"
}

     

    and still having 403"AuthorizationFailure" error -- This request is not authorized to perform this operation

     

    I really don't understand what I am doing wrong here 😞 as I was able to connect to Blob storage but not Table Storage. Could you please tell what am I missing here? talsaifi  

    Thank you in advance!

  • talsaifi's avatar
    talsaifi
    Icon for Microsoft rankMicrosoft
    Jul 15, 2021

    AsheN0ne Actually, at the time when this article was published, the above was not possible with Azure table storage! The good news is that now table storage supports Azure AD Integration :smile: 

     

    You can follow the steps above, except:

    1- Use Storage Table Data Contributor instead of Storage Blob Data Contributor when adding role assignment.

    2- Your HTTP action should look as follows:

    1. Enter the URI for the table under your storage account: https://your account name.table.core.windows.net/table name
    2. Under Headers, add the following key value pairs:
      1. Key: Accept, Value: application/json.
      2. Key: x-ms-version, Value: 2019-07-07.

     

    For list of REST API operations on table entities, check the following link: Operations on entities (REST API) - Azure Storage | Microsoft Docs

     

    The other option is:

    1- Have the storage account and logic app in different regions.

    2- Use the Azure Table Storage connector; for connector reference, check the following link: Azure Table Storage - Connectors | Microsoft Docs

    3- Add the logic app connector outgoing IP addresses to the storage account firewall to allow access.

  • AsheN0ne's avatar
    AsheN0ne
    Copper Contributor
    Jul 14, 2021

    talsaifi Is there any way that a Logic App can connect to table storage with a Storage account behind Firewalls within the same region? If not any alternative ways/methods?

    ( Tried above and was seeing 403 error ,where I could able to connect through Postman but not through Logic App)

    Could you please assist? As we really need Table storage for our logic apps 😞

  • robergc's avatar
    robergc
    Copper Contributor
    Apr 19, 2021

    Great job!!!

    But when I try to connect against table storage I receive a 401 error, even if I pass it the correct authorization header. In Postman it works but not in the logic app.

    Do you know how solve it?