Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

huangapple go评论61阅读模式
英文:

Azure Logic App (consumption) access to Storage Account behind VNET

问题

I'm having an issue when trying to access Tables on a Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.

If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings, the traffic is allowed, and the Logic App runs fine, but this is not the desired scenario nor is it an option to migrate to Logic App Standard.

I tried a couple of solutions as described below:

  • I added all IPs and IP ranges found in the Properties of the Logic App, including: Runtime outgoing IP addresses, Access endpoint IP addresses, and Connector outgoing IP addresses, but no luck.
  • I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account, adding the corresponding role assignments to the Logic App Managed Identity, but no luck. I tried several role assignments, including Contributor, Owner, Storage Account Contributor, and Storage Table Data Contributor; it still does not work.

Any advice will be much appreciated.

Thanks in advance!

英文:

I'm having an issue when trying to access Tables on an Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.

If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings the traffic is allowed and the Logic App runs fine, but this is not desired scenario nor is an option to migrate to Logic App Standard.

I tried a couple of solutions as described below:

  • I added all IPs and IPs ranges found in the Properties of the Logic App including: Runtime outgoing IP addresses, Access endpoint IP addresses and Connector outgoing IP addresses but no Luck.
  • I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account adding the corresponding role assignments to the Logic App Managed Identity but no luck, I tried several role assignment including Contributor, Owner, Storage Account Contributor and Storage Table Data Contributor, it still does not work.

Any advise will be much appreciated

Thanks in advance!

答案1

得分: 0

如果存储使用“从选定的虚拟网络和 IP 地址启用”
您可以在连接到表存储时为逻辑应用添加防火墙例外,使用系统分配的身份:
所以首先,您需要为逻辑应用创建一个托管的身份:
然后创建一个角色分配(RBAC)以允许逻辑应用连接到存储帐户:
然后从您的逻辑应用中,您可以使用表存储连接器:
并显然,测试它是否正常工作 Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

英文:

If the storage uses Enabled from selected virtual networks and IP addresses
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

You can add firewall exception for your logic app when connecting to table storage using a system-assigned identity:
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

So first, you need to create a managed identity for your logic app:
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

Then create a role assignment (RBAC) to allow the logic app to connect to the storage account:
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

Then from your logic app, you can use the table storage connector:
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

And obviously, test that it is working fine Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户
Azure逻辑应用(按消耗计费)访问位于虚拟网络后面的存储帐户

答案2

得分: 0

对于遇到类似问题的人,有两件事我忽略了:

  • 一个是要使用由逻辑应用中存在并具有适当角色分配的托管标识进行身份验证的连接
  • 另一件不太明显的事情是,在逻辑应用实现中必须使用V2组件来访问表存储

值得一提的是,如果您已经将KeyVault连接到了逻辑应用所访问的VNET,解决此问题的方法是将出站IP地址列表添加到KeyVault的网络菜单中的防火墙规则中,如此处所示。

英文:

For those having a similar issue, there are two things I missed:

  • One is to use a connection authenticated using the Managed Identity that must exist in the Logic App and have the appropriate role assignment
  • Another thing less obvious is that V2 components must be used to access table storage in the Logic App implementation

For what it's worth, if you already have a KeyVault connected to the VNET that is accessed by the Logic Apps the solution for this would be to add the list of Outgoing IP addresses to the firewall rules in the KeyVault's Networking menu as indicated here

huangapple
  • 本文由 发表于 2023年6月30日 04:26:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76584407.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定