Blog Post

Azure Integration Services Blog
3 MIN READ

Access Azure Blob using Logic App

vinaykrish's avatar
vinaykrish
Icon for Microsoft rankMicrosoft
Jun 09, 2020
In this article Let's explore how to automate the process of accessing Blobs using Logic Apps.
The purpose of the blog is to demonstrate the challenges currently we face while accessing secured blobs and how to overcome them.
 
Azure Blob Storage offers three types of the storage services : blobs, block blobs, append blobs, and page blobs.
 
Please find the kind of Blobs listed over here
 
In today's topic, I will be giving you overall picture on the possible ways of accessing blob from Azure Logic Apps.
 
There are several ways to access blobs and few of them are:
  1. Using Azure Functions.
  2. Using REST APIs.
  3. Dot Net code/Other programming Language
  4. Logic Apps.
 
You can find more information on this this article
 
Let's begin with the number of possible ways we can connect with Azure Storage Blobs using Logic Apps under various security constraints.

This might give the clear picture on how to access Azure blob from Logic Apps under various constraints.
 

Source - Logic Apps

Connector Type

Is Blob behind Firewall?

Destination-Storage Blob

Region

Comments

ISE

ISE-Blob Connector

Yes

Blob

Same
    • Possible with Private Endpoint .
    • Possible with Whitelisting ISE-Vnet.

ISE

ISE- Blob Connector

Yes

Blob

cross
    • Not possible with Private IP since whitelisting of Vnet would not happen for different region.
    • But we can connect to Blob using public endpoint if we force traffic through the public IP of the ISE. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of ISE on Storage.

ISE

Built-in HTTP

Yes

Blob

same
    • Possible with Private Endpoint.
    • Possible with Managed Identity.
    • Possible with whitelisting  ISE-Vnet.

ISE

Built-in HTTP

Yes

Blob

cross
    • Possible with Managed Identity.
    • But we can connect to Blob using public endpoint if we force traffic through the public IP of the ISE. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of ISE on Storage.

ISE

Azure Blob Connector

Yes

Blob

Same
    • Possible with Managed Identity.

ISE

Azure Blob Connector

Yes

Blob

cross
    • Yes with whitelisting ISE-Virtual Network.
    • Yes with Managed Identity.

 

 

 

 

 

 

Logic App Standard

Built-in Blob Connector

Yes

Blob

Same
    • Possible with Private endpoint ,whitelisting Vnet and Logic App VNET Integration .

Logic App Standard

Built-in Blob Connector

Yes

Blob

Cross
    • Not possible with Private IP since whitelisting of Vnet would not happen for different region.
    • But we can connect to Blob using public endpoint if we force traffic through the public IP of the Standard Logic App. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of Standard Logic App on Storage.

Logic App Standard

Built-in Http

Yes

Blob

Same
    • Possible with Private endpoint ,whitelisting Vnet and Logic App VNET Integration .

Logic App Standard

Built-in Http

Yes

Blob

Cross
    • Not possible with Private IP since whitelisting of Vnet would not happen for different region.
    • But we can connect to Blob using public endpoint if we force traffic through the public IP of the Standard Logic App. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of Standard Logic App on Storage.

Logic App Standard

Azure Blob Connector

Yes

Blob

Same
    • Not possible, We will not be able to connect even with IP whitelisting.
    • Not possible even with Managed identity with your Logic App standard  currently.

Logic App Standard

Azure Blob Connector

Yes

Blob

Cross

Logic App Standard

Any

No

Blob

Same/different
    • Should not have any problem if there is no Firewall.

 

 

 

 

 

 

Logic App Consumption

Any

No

Blob

Same/different
    • Should not have any problem if there is no Firewall.

Logic App Consumption

Azure Blob Connector

Yes

Blob

cross

 

Logic App Consumption

Azure Blob Connector

Yes

Blob

same
      • Possible with managed Identity.

 

Logic App Consumption

Http Connector

Yes

Blob

cross
      • Can be accessed through Managed Identity with "Blob Contributor rights". If not with Managed Identity it can also be accessed by whitelisting the Runtime IPs of  Logic Apps.

 

Logic App Consumption

Http Connector

Yes

Blob

same
      • Only through Managed Identity with "Blob Contributor rights" for Particular Logic App

You can find more information on Accessing Azure blob using Managed Identity. Refer : Link2
 
Disclaimer : This article holds valid at the time of writing.
Updated Nov 14, 2024
Version 5.0
logic apps

3 Comments

  • vpydikondala's avatar
    vpydikondala
    Copper Contributor
    Sep 01, 2024

    Hello,

    I encountered an issue when trying to use the "Create Blob (V2)" trigger with private endpoints in Azure Logic Apps, where none of the configurations I attempted worked. After investigating, I suspected there might be a system glitch or an additional authentication check that was failing. As an alternative, I tried using the "Upload Blob" trigger instead, and it worked successfully.

    It appears that the "Create Blob (V2)" trigger performs additional authentication checks that may fail when using private endpoints, whereas the "Upload Blob" trigger does not encounter the same issue. Both triggers essentially perform the same operation, so in scenarios involving private endpoints, I recommend using the "Upload Blob" trigger.

    Additionally, I noticed that the solution mentioned above suggests that having both the Logic App and the storage account in the same region might cause issues. However, in my case, the "Upload Blob" trigger worked fine even when both were in the same region.

    Therefore, if you're using private endpoints with a storage account and virtual network integration in a Logic App, I suggest opting for the "Upload Blob" trigger for a more reliable solution.

    Please consider this the correct solution for the issue discussed.

  • vinaykrish's avatar
    vinaykrish
    Icon for Microsoft rankMicrosoft
    Oct 09, 2023

    Enabling firewall rules on an Azure storage account serves a critical purpose in enhancing security by restricting unauthorized access. However, when it comes to services like Logic Apps within the same region, there's an intrinsic challenge. Unlike external communication, local communication within the Azure data center operates differently. It abstracts the internal IP addresses, making it challenging to permit access based solely on IP addresses. Therefore, allowing seamless communication between Logic Apps and a firewall-enabled storage account within the same region requires additional considerations beyond standard IP filtering to ensure both security and functionality.

    Connect to Azure Blob Storage from workflows - Azure Logic Apps | Microsoft Learn

  • bhushangawale's avatar
    bhushangawale
    Brass Contributor
    Oct 09, 2023

    Could you clarify the specific rationale or purpose behind preventing any connectivity between a Logic App and a firewall-enabled storage account within the same region using the Azure Blob connector?