cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access Storage Accounts behind Firewalls from Logic Apps within the same region
By
talsaifi
Published Feb 19 2021 12:36 AM 24.5K Views
talsaifi
Microsoft
‎Feb 19 2021 12:36 AM

Access Storage Accounts behind Firewalls from Logic Apps within the same region

‎Feb 19 2021 12:36 AM

Storage accounts behind firewalls will not be accessible by Logic apps within the same region using Azure blob storage connector, because we can not add firewall rules to give access for the connector outgoing IP addresses; please check the following link for details: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-stor...

 

Azure blob storage connector will be returning 403 error, as shown below:

403.png

 

As a workaround, we use the HTTP action to call storage account REST API's using managed identity; to do so, please follow the steps below:

 

  1. Enable your logic app managed identity:
    1. Go to your logic app.
    2. Go to Settings -> Identity.
    3. Select System assigned.
    4. Select Status -> On.
    5. Click Save.                                                                                                                                   Identity.png
  2. In your storage account, add role assignment for your logic app:
    1. Go to your storage account.
    2. Click on access Control (IAM).
    3. Click on Role assignments tab.
    4. Click Add and select Add role assignment:
      1. From the Role dropdown list, select Storage Blob Data Contributor.
      2. From Assign access to dropdown list, select Logic App.
      3. Under the Select field, type the name of your logic app to search for it and select it once it’s found, it will appear under the selected members list.
      4. Click Save.                                                                                                                         Role assignment.png
  3. In your storage account, make sure that the exception to allow trusted Microsoft services to access this storage account is selected:
    1. Go to your storage account.
    2. Go to Settings -> Networking.
    3. Select Firewalls and virtual networks.
    4. Scroll down to Exceptions.
    5. Select Allow trusted Microsoft services to access this storage account.
    6. Click Save.                                                                                                                               trusted services.png
  4. Connect your logic app to storage account using HTTP action to call storage account REST API:
    1. Go to your logic app
    2. Click on View in logic apps designer
    3. Add an action
    4. Search for and select HTTP action:
      1. From method dropdown list, select a method (GET, PUT, etc.).
      2. Enter the URI for the folder under your storage account (https://your account name.blob.core.windows.net/container name/file Name)
      3. Under headers, add the following key value pairs:
        1. Key: x-ms-blob-type, Value: BlockBlob.
        2. Key: x-ms-version, Value: 2019-07-07.
      4. In the body field, enter or select the variable or data token that holds your file content, in case of using PUT method.
      5. From add new parameter, select authentication:
        1. From Authentication type dropdown list, select Managed Identity.
        2. From Managed Identity dropdown list, select System Assigned Managed Identity.
        3. For audience, enter https://storage.azure.com                                                        Blob HTTP.png
17 Comments
Co-Authors
Version history
Last update:
‎Feb 19 2021 12:35 AM
Updated by:
Labels