Blog Post

Azure Integration Services Blog
5 MIN READ

Deploying Standard Logic App to Storage Account behind Firewall using Service or Private Endpoints

VeeraReddy's avatar
VeeraReddy
Iron Contributor
Aug 09, 2021

Standard LogicApp is powered by new Azure single-tenant LogicApp runtime. Single-tenant Logic App offering runs as an extension on top of Azure Function runtime. Like Azure Functions, the standard Logic App leverages storage account services such as blob, File Share, Queue and Table for various purposes. For instance, the website content is stored in File Share which will be accessed by Logic App site for up and running. You can refer to this blog to understand how the storage services are leveraged in standard Logic App.

 

In this article, we will see how to access the Storage account services on secured network using Service endpoints (or) Private Endpoints from Standard Logic App.

 

By default, the portal creation experience of the Logic Apps expects the storage account must be accessible on public endpoint.  Let us explore the below options on how to access the storage account over a secured network.

 

Deploy Logic App standard resource having secured access to Storage account using Portal:

 

  • Storage account need to be accessible on Public Endpoint i.e. Network access set to 'All Networks'.
  • Create a Logic App resource, selecting the above created storage account during Logic App creation process.
  • Enable the Service Endpoint or Private Endpoints (for all services i.e. blob, table, file, queue) on the storage account.
  • Enable the VNET integration for Logic App resource with respective VNET and subnet have access to Storage account on Service Endpoint (SE) or Private Endpoints (PE).
  • Set the below configuration settings (app settings) to access the storage on SE or PE’s.                     

S.No

Configuration Setting

Value

Comments

Mandatory

1

WEBSITE_VNET_ROUTE_ALL (Legacy Setting and have new toggle button 'Route All' in networking tab)

             1

It is legacy setting to route all outbound traffic through integrated subnet.

 

There is new Route all toggle button available in the VNET integration blade. You can use either of these.

 

If you don't set either of above and have VNET integration only private traffic will be going through your subnet and remaining will be through internet.

Yes

2

WEBSITE_DNS_SERVER

    168.63.129.16

             (or)

     Custom DNS server  IP Address

 It is to enforce Logic App to use specific DNS server. If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET.

No

3

WEBSITE_CONTENTOVERVNET

              1

It enables Logic App resource to access the website content over VNET traffic i.e. on SE or PE’s.

Yes

4

WEBSITE_DNS_ALT_SERVER

    Alternate DNS        server IP address

It is to enforce Logic App to use specific DNS server while WEBSITE_DNS_SERVER unable to resolve.

 

If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET.

No

 

  • No need to restart the Logic App site when you update any app settings or adding new workflows, Logic App gracefully restarts in an incremental mode without impacting any existing runs. However, it isn't suggested to make changes when there are any in-process transactions.
  • Change the storage account network settings to selected networks 
  • Logic App may experience some interruption as the connectivity switch between public and private endpoints may take some time and you may not see workflows for sometime. You may restart the Logic App and wait for few mins and check whether workflows are loading or not.

 

Deploy Logic App standard resource having secured access to Storage account using automated deployment tools:

 

You can overcome the issue of exposing the storage account to public internet with the portal creation experience using ARM template deployment. With ARM deployment, you no need to open it for all Networks and can be deployed directly with Service endpoints or Private Endpoints.

 

 If you would like to deploy Standard Logic App to secure storage account from automated tools such as DevOps using ARM templates.   You can refer to the sample templates available in the below Git-Hub.

VeeraMS/LogicApp-deployment-with-Secure-Storage: Deploying Logic App standard resource with Storage account having Private endpoints (github.com)

 

Below GIF's provides a glimpse on how to configure the Logic App to access storage account using Service or Private endpoints.

 

Access over Storage Service Endpoint:

 

 

 Access over Storage Private Endpoints:

 

 

Note: vnetRouteAllEnabled app setting is replaces, overrides and takes precedence over the legacy setting WEBSITE_VNET_ROUTE_ALL.

 

Common Errors when Storage account is behind Firewall:

 

We generally observe the below common errors when deployment storage account is behind firewall which indicates that Logic App is unable to access the storage account services.

 

  • Access to host.json is denied: 

System.Private.CoreLib: Access to the path 'C:\\home\\site\\wwwroot\\host.json' is denied.

 

  • Unable to load workflows in Logic App:

     You may observe that workflows are not visible in the Logic App while Storage access is changed to selected networks or Private Endpoints. You can check the browser logs and it may show below error.
 {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime.","Target":null,"Details":       [{"Message":"Encountered an error (ServiceUnavailable) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":                       {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime."}}],"Innererror":null}

 

Troubleshooting common errors:

 

We can’t troubleshoot the above common errors from the kudu console as the Logic App site itself isn’t up or working . You can use the below to troubleshoot the access to the storage account services.

 

  • Create an Azure VM with in the same Logic App integrated VNET, it can be a different subnet.
  • The simpler test can be accessing the Storage account services using the Storage explorer tool. If any issues in connectivity using this tool, continue with the below steps.
  • Check nslookup in the command prompt and make sure that the storage services are resolvable to intended IP addresses. If its on Service Endpoint, it should resolve to Public IP and if it has Private Endpoints, verify all services are resolvable to respective NIC private IP addresses. 
            nslookup [StorageaccountHostName] [OptionalDNSServer]

 

          Verify for all storage services:

                           nslookup {StorageaccountName}.blob.core.windows.net

                           nslookup {StorageaccountName}.file.core.windows.net

                           nslookup {StorageaccountName}.queue.core.windows.net

                           nslookup {StorageaccountName}.table.core.windows.net

 

 

  • If the DNS queries are resolvable, we can check psping or tcpping to storage account over 443 port.
                 psping [StorageaccountHostName] [Port] [OptionalDNSServer]

 

         Verify for all storage services:

                         psping {StorageaccountName}.blob.core.windows.net:443

                         psping {StorageaccountName}.file.core.windows.net:443

                         psping {StorageaccountName}.queue.core.windows.net:443

                         psping {StorageaccountName}.table.core.windows.net:443

 

  • If it is resolvable from Azure VM, we can check the DNS server is used for resolution in VM and set the same in the Logic App WEBSITE_DNS_SERVER setting and verify. Also, make sure that VNET integration is done with the appropriate VNET and subnet in Logic App.

 

References: You may refer to the below blogs for deep dive into Standard Logic App runtime and deployment using DevOps.

Azure Logic Apps Running Anywhere – Runtime Deep Dive (microsoft.com)

Deploying an Azure Logic Apps Standard workflow through Azure DevOps Pipeline - Microsoft Tech Community

 

Updated Dec 15, 2021
Version 3.0
logic apps
  • David Sampson's avatar
    David Sampson
    Copper Contributor
    Mar 15, 2022

    Hey Ruben,

     

    This is the exact problem I was stuck on for a week. It is possible to create it all privately in one go with the storage account locked down, you need to create a file share on the Storage account using Terraform with the name "LogicAppname-content". You also need the CONTENTOVERVNET app setting set to 1.

     

    Good luck

  • David Sampson's avatar
    David Sampson
    Copper Contributor
    Mar 14, 2022

    It would be helpful to mention the requisite file share creation as a pre-req for Private network setup in this article. We we're attempting this with Terraform and hadn't dug into the linked ARM template example to find we needed to create the file share when deploying privately. If you first deploy a public LA and then transition it to VNet integrated the file share gets created for you during the initial LA deployment, if you deploy straight away with VNet integration it doesn't and your LA will be broken until you create the file share.

  • RubenAster's avatar
    RubenAster
    Copper Contributor
    Mar 15, 2022

    Any idea how I can use a firewall protected Storage Account using Terraform?

     

    The problem is that the Logic App needs public access to the Storage Account when being created but the Storage Account is already protected then since Terraform deploys it with firewall protection.

     

    I tried to define a Storage Account and SA Network Rules as another module which is depending on the LA, but still, no luck.

  • David Sampson's avatar
    David Sampson
    Copper Contributor
    Mar 17, 2022

    Hi Ruben,

     

    This must be related to how your Terraform deployment is able to access the storage account. So depending on where you are running Terraform from the TF client needs to be able to resolve and connect to the storage account via it's new Private Endpoint in order to create the file share. So when we run from DevOps it's not a problem as we are running on a self-hosted agent in the environment. When we run TF locally we have to connect an Azure client VPN to be able to get onto the VNet and access the storage accounts Private Endpoint.

     

    Essentially just ensure your TF client can communicate with the SA via it's private endpoint and you should be good.

     

    Ignore the previous version of this comment if you saw it, I got my wires crossed!

     
    I hope that helps.
     
    David
  • RubenAster's avatar
    RubenAster
    Copper Contributor
    Mar 16, 2022

    Hey David,

     

    thanks for your feedback, it's very much appreciated!!

     

    Maybe you could help me with a problem that I have with your stated setup, if you have a minute to answer.

     

    I've also added the File Share to Terraform but for some reason the service principal (with Contributor role) can't read/create a File Share as long as Network Restriction is still enabled on the Storage Account. The Logic App outbound subnet is whitelisted and for testing also the subnet of the DevOps build agent, but I always get a 403:

     

    Error: checking for existence of existing Storage Share "logic-XXXXXXXX-q01-content"
(Account "stXXXXXXXXq01" / Resource Group "RG-XXXXXXXX-Q01"): shares.Client#GetProperties: Failure responding to request: StatusCode=403 --
Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation....."

     

    If I disable Network Restriction on the Storage Account, the File Share can be deployed (or in case of an already existing Share be read) successfully.

     

    Did you also encounter this issue and solve it?

     

    Thanks very much in advance!

  • RubenAster's avatar
    RubenAster
    Copper Contributor
    Mar 17, 2022

    Hey David,

     

    thanks a lot!

     

    Yeah that's exactly what we use and if you didn't have any problems with that setup, I'm pretty sure the issue is on our side somewhere.

     

     

    Thanks for all the help,

     

    Ruben

  • Mikael_Tallberg's avatar
    Mikael_Tallberg
    Copper Contributor
    Oct 04, 2022

    Has anyone got this working with a NSG in the private endpoint subnet? I can verify connectivity from a VM with a NSG deployed, but connection between Logic App and Storage Account fails.