Question 197842 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Logic App (consumption) access to Storage Account behind VNET

I’m having an issue when trying to access Tables on an Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.

If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings the traffic is allowed and the Logic App runs fine, but this is not desired scenario nor is an option to migrate to Logic App Standard.

I tried a couple of solutions as described below:

  • I added all IPs and IPs ranges found in the Properties of the Logic App including: Runtime outgoing IP addresses, Access endpoint IP addresses and Connector outgoing IP addresses but no Luck.
  • I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account adding the corresponding role assignments to the Logic App Managed Identity but no luck, I tried several role assignment including Contributor, Owner, Storage Account Contributor and Storage Table Data Contributor, it still does not work.

Any advise will be much appreciated

Thanks in advance!

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    For those having a similar issue, there are two things I missed:

    • One is to use a connection authenticated using the Managed Identity that must exist in the Logic App and have the appropriate role assignment
    • Another thing less obvious is that V2 components must be used to access table storage in the Logic App implementation

    For what it's worth, if you already have a KeyVault connected to the VNET that is accessed by the Logic Apps the solution for this would be to add the list of Outgoing IP addresses to the firewall rules in the KeyVault's Networking menu as indicated here


  2. 0

    If the storage uses Enabled from selected virtual networks and IP addresses
    azure storage account networking

    You can add firewall exception for your logic app when connecting to table storage using a system-assigned identity:
    azure storage account - firewall exception - logic app - managed identity

    So first, you need to create a managed identity for your logic app:
    azure logic app - system-assigned identity

    Then create a role assignment (RBAC) to allow the logic app to connect to the storage account:
    azure storage - rbac - table roles

    Then from your logic app, you can use the table storage connector:
    azure logic app - table storage connector - managed identity

    And obviously, test that it is working fine 🙂
    azure logic app - run details

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search