azure app service custom backup to storage account

Question

Hello

I have setup custom backup of azure web app to storage account and it will only work when the public access is enabled for all networks. What I would like to achieve is to apply restriction to storage account and limit public access to only allow the vnet that I have integrated my web app to. So far I get 403 error as storage account refuses access to web app when I run custom backup. I have tried the following:

• added subnet from vnet that my web app is integrated with, enabled the service endpoint for Microsoft.Storage
• enabled system-assigned managed identity for the web app, granted this identity a Storage Blob Data Contributor permission to the storage account that will store the backups

Anyone have any idea what else I have to enable to achieve this?

Thanks in advance

Agi

Answer 1

Hi,

If you want to block public access to storage account you need to create a private endpoint for it - your first option. Did you follow all needed steps for this? (including private dns)

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

Hope this helps!

Answer 2

Thanks for reaching here! Could you please confirm if your storage account is firewall enabled? as its mentioned in the document here,

"Using a firewall enabled storage account as the destination for your backups is not supported. If a backup is configured, you will encounter backup failures."
"Using a private endpoint enabled storage account for backup and restore is not supported."

Please let us know to help you better on this.

Answer 3

Hi,

Thank you for your reply. I was trying to avoid using a private link as I did not want to generate additional cost. I wil leave the storage account with public access at the moment enabled.

Many thanks
Agi