question

emondek avatar image
emondek asked ·

Why is my Web App presenting a private IP address to my Storage Account firewall?

I have a Web App hosted on Azure App Service that is using the Azure Storage Blob Client Library for .NET to interact with a Storage Account. The Storage Account has the firewall configured to only allow connections from the Web App's outbound IP addresses. The calls from the Web App to the Storage Account are being blocked by the firewall. I turned on Storage Analytics Logs and I'm seeing IpAuthorizationErrors for the calls to the Storage Account. What's weird is that the requester-ip-address in the log entries is 10.67.8.114. Why would it be a private IP address and not one of the Web App outbound IP addresses? I am not using private endpoints.

azure-webapps
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

xequence avatar image
xequence answered ·

I would check out https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/14
--> click storage accounts, to check if there are some recommendations.

Possibly setup 'allow access from' selected network and reconfigure https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range

From my understanding, the IP address is for an administrator to look at container, located in your container settings under 'firewalls and virtual networks', which appears as a check box to 'add your client ip address' with some exceptions
- Allow trusted Microsoft services to access this storage account
- Allow read access to storage logging from any network
- Allow read access to storage metrics from any network

Hope this helps.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.