Azure app service supports the functionality to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. The detailed steps are provided in the following document:
Mount Azure Storage as a local share (container) - Azure App Service | Microsoft Docs
While Storage Firewall is supported through service endpoint and private endpoint, some configuration details are not addressed within the document. Today, this article will provide detailed steps on mounting the storage account using service endpoint and private endpoint.
One thing to notice is that mounting the storage from the app service requires some ports to be open.
- For blob storage: Port 80 and 443 should be open
- For file share: Port 80 and 445 should be open
The reason for opening the port 80 is that the backend instance will first use port 80 for testing the connectivity between the app service and the storage account; and once the connection can be tested through port 80, the app service will mount the storage account to the app service.
For example, we have a app service called LinuxAppTestForStorage with VNet integration, and a network security group myVNet-Appservice-nsg-centralus is associated with the VNet. When a rule is added to restrict outbound connection through port 80, the storage mounting will fail. As a result, the container cannot start properly, so when browsing the url for the app service, it will return 502 error.
The below provides the configuration for using Storage Firewall with private endpoint and service endpoint.
Service Endpoint:
On the storage side:
Click the network blade -> Navigate to Firewall and Virtual Networks -> Add the existing VNet. In the screenshot below, I added the VNet called "myVNet", and then the storage will only allow resource from this VNet to access.
On the app service side
The app service need to have the VNet integration. It enable the app service to access resource within the VNet. Navigate to the Networking blade -> click the VNet Integration -> and then connect with "myVNet" .
On the network side:
Click the subnet with is integrated with the app service, and then enable the service endpoint for storage. This will ensure the traffic is going through the Azure backbone for optimizing the speed and security.
Private endpoint:
For private endpoint, we will have all the settings as above; additionally, we will add the private endpoint from the portal. Open the network setting of the storage account, navigate to the private endpoint tab, and then we can create a private endpoint resources.
When creating the private endpoint, please select the same virtual network which the app service is integrated to. This will ensure the app service can access the storage account, because only the traffic from the selected virtual network will be allowed when private endpoint is created.
