Mount Azure Storage in a custom container in App Service with the restricted network environment
Published Feb 05 2022 09:18 PM 2,983 Views
Microsoft

 

Azure app service supports the functionality to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. The detailed steps are provided in the following document:

Mount Azure Storage as a local share (container) - Azure App Service | Microsoft Docs

While Storage Firewall is supported through service endpoint and private endpoint,  some configuration details are not addressed within the document. Today, this article will provide detailed steps on mounting the storage account using service endpoint and private endpoint

 

One thing to notice is that mounting the storage from the app service requires some ports to be open. 

  • For blob storage: Port 80 and 443 should be open
  • For file share: Port 80 and 445 should be open

The reason for opening the port 80 is that the backend instance will first use port 80 for testing the connectivity between the app service and the storage account; and once the connection can be tested through port 80, the app service will mount the storage account to the app service. 

 

For example, we have a app service called LinuxAppTestForStorage with VNet integration, and a network security group myVNet-Appservice-nsg-centralus is associated with the VNet. When a rule is added to restrict outbound connection through port 80, the storage mounting will fail. As a result, the container cannot start properly, so when browsing the url for the app service, it will return 502 error.

 

Zehui_1-1643950742797.png

 

Zehui_2-1643950767196.png

 

 

The below provides the configuration for using Storage Firewall with private endpoint and service endpoint. 

Service Endpoint:

On the storage side:

Click the network blade -> Navigate to Firewall and Virtual Networks -> Add the existing VNet. In the screenshot below, I added the VNet called "myVNet", and then the storage will only allow resource from this VNet to access. 

Zehui_3-1643950903164.png

 

 

On the app service side

The app service need to have the VNet integration. It enable the app service to access resource within the VNet. Navigate to the Networking blade -> click the VNet Integration -> and then connect with "myVNet" .

 

Zehui_4-1643950978004.png

 

On the network side:

 

Click the subnet with is integrated with the app service, and then enable the service endpoint for storage. This will ensure the traffic is going through the Azure backbone for optimizing the speed and security.

Zehui_5-1643951041100.png

 

Zehui_6-1643951090073.png

 

 

Private endpoint:

For private endpoint, we will have all the settings as above; additionally, we will add the private endpoint from the portal. Open the network setting of the storage account, navigate to the private endpoint tab, and then we can create a private endpoint resources.

Zehui_7-1643951149855.png

 

When creating the private endpoint, please select the same virtual network which the app service is integrated to.  This will ensure the app service can access the storage account, because only the traffic from the selected virtual network will be allowed when private endpoint is created.

Zehui_8-1643951175253.png

 

 

 

 

 

 

Co-Authors
Version history
Last update:
‎Feb 05 2022 09:18 PM
Updated by: