In this article Let's explore how to automate the process of accessing Blobs using Logic Apps.
The purpose of the blog is to demonstrate the challenges currently we face while accessing secured blobs and how to overcome them.
Azure Blob Storage offers three types of the storage services : blobs, block blobs, append blobs, and page blobs.
Please find the kind of Blobs listed over
here
In today's topic, I will be giving you overall picture on the possible ways of accessing blob from Azure Logic Apps.
There are several ways to access blobs and few of them are:
- Using Azure Functions.
- Using REST APIs.
- Dot Net code/Other programming Language
- Logic Apps.
Let's begin with the number of possible ways we can connect with Azure Storage Blobs using Logic Apps under various security constraints.
This might give the clear picture on how to access Azure blob from Logic Apps under various constraints.
Source - Logic Apps
|
Connector Type
|
Is Blob behind Firewall?
|
Destination-Storage Blob
|
Region
|
Comments
|
ISE
|
ISE-Blob Connector
|
Yes
|
Blob
|
Same
|
- Possible with Private Endpoint .
- Possible with Whitelisting ISE-Vnet.
|
ISE
|
ISE- Blob Connector
|
Yes
|
Blob
|
cross
|
- Not possible with Private IP since whitelisting of Vnet would not happen for different region.
- But we can connect to Blob using public endpoint if we force traffic through the public IP of the ISE. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of ISE on Storage.
|
ISE
|
Built-in HTTP
|
Yes
|
Blob
|
same
|
- Possible with Private Endpoint.
- Possible with Managed Identity.
- Possible with whitelisting ISE-Vnet.
|
ISE
|
Built-in HTTP
|
Yes
|
Blob
|
cross
|
- Possible with Managed Identity.
- But we can connect to Blob using public endpoint if we force traffic through the public IP of the ISE. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of ISE on Storage.
|
ISE
|
Azure Blob Connector
|
Yes
|
Blob
|
Same
|
- Possible with Managed Identity.
|
ISE
|
Azure Blob Connector
|
Yes
|
Blob
|
cross
|
- Yes with whitelisting ISE-Virtual Network.
- Yes with Managed Identity.
|
|
|
|
|
|
|
Logic App Standard
|
Built-in Blob Connector
|
Yes
|
Blob
|
Same
|
- Possible with Private endpoint ,whitelisting Vnet and Logic App VNET Integration .
|
Logic App Standard
|
Built-in Blob Connector
|
Yes
|
Blob
|
Cross
|
- Not possible with Private IP since whitelisting of Vnet would not happen for different region.
- But we can connect to Blob using public endpoint if we force traffic through the public IP of the Standard Logic App. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of Standard Logic App on Storage.
|
Logic App Standard
|
Built-in Http
|
Yes
|
Blob
|
Same
|
- Possible with Private endpoint ,whitelisting Vnet and Logic App VNET Integration .
|
Logic App Standard
|
Built-in Http
|
Yes
|
Blob
|
Cross
|
- Not possible with Private IP since whitelisting of Vnet would not happen for different region.
- But we can connect to Blob using public endpoint if we force traffic through the public IP of the Standard Logic App. Also storage should be resolvable to public IP. Additionally, we have to whitelist public IP of Standard Logic App on Storage.
|
Logic App Standard
|
Azure Blob Connector
|
Yes
|
Blob
|
Same
|
- Not possible, We will not be able to connect even with IP whitelisting.
- Not possible even with Managed identity with your Logic App standard currently.
|
Logic App Standard
|
Azure Blob Connector
|
Yes
|
Blob
|
Cross
|
|
Logic App Standard
|
Any
|
No
|
Blob
|
Same/different
|
- Should not have any problem if there is no Firewall.
|
|
|
|
|
|
|
Logic App Consumption
|
Any
|
No
|
Blob
|
Same/different
|
- Should not have any problem if there is no Firewall.
|
Logic App Consumption
|
Azure Blob Connector
|
Yes
|
Blob
|
cross
|
|
Logic App Consumption
|
Azure Blob Connector
|
Yes
|
Blob
|
same
|
- Possible with managed Identity.
|
Logic App Consumption
|
Http Connector
|
Yes
|
Blob
|
cross
|
- Can be accessed through Managed Identity with "Blob Contributor rights". If not with Managed Identity it can also be accessed by whitelisting the Runtime IPs of Logic Apps.
|
Logic App Consumption
|
Http Connector
|
Yes
|
Blob
|
same
|
- Only through Managed Identity with "Blob Contributor rights" for Particular Logic App
You can find more information on Accessing Azure blob using Managed Identity. Refer : Link2
|
Disclaimer : This article holds valid at the time of writing.