I have created an Azure logic app that reads/writes data to an Azure storage account. I want to place networking restrictions on that storage account, so that only the logic app and my laptops outbound IP can reach the storage account.
So, I turned on the storage account's firewall and added my laptop's IP address to the allow address range list. Then I enabled the managed identity for the logic app. Next, back on the networking tab of the storage account I added an entry under "Resource instances". There I selected type of "Microsoft.Logic/workflows" and Instance name of my logic app. I also granted the managed identity of the logic app to have "Storage Blob Data Contributor" on the storage account.
After doing those steps, my logic app is unable to read/write data from the storage account. But I can access data in the storage account as my IP is whitelisted.
It seems that if you have both IP's whitelisted and a Resource instance granted access to a storage account, only the IP whitelist matters?
Has anyone else tried this scenario?