英文:
Azure Logic App (consumption) access to Storage Account behind VNET
问题
I'm having an issue when trying to access Tables on a Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.
If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings, the traffic is allowed, and the Logic App runs fine, but this is not the desired scenario nor is it an option to migrate to Logic App Standard.
I tried a couple of solutions as described below:
- I added all IPs and IP ranges found in the Properties of the Logic App, including: Runtime outgoing IP addresses, Access endpoint IP addresses, and Connector outgoing IP addresses, but no luck.
- I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account, adding the corresponding role assignments to the Logic App Managed Identity, but no luck. I tried several role assignments, including Contributor, Owner, Storage Account Contributor, and Storage Table Data Contributor; it still does not work.
Any advice will be much appreciated.
Thanks in advance!
英文:
I'm having an issue when trying to access Tables on an Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.
If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings the traffic is allowed and the Logic App runs fine, but this is not desired scenario nor is an option to migrate to Logic App Standard.
I tried a couple of solutions as described below:
- I added all IPs and IPs ranges found in the Properties of the Logic App including: Runtime outgoing IP addresses, Access endpoint IP addresses and Connector outgoing IP addresses but no Luck.
- I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account adding the corresponding role assignments to the Logic App Managed Identity but no luck, I tried several role assignment including Contributor, Owner, Storage Account Contributor and Storage Table Data Contributor, it still does not work.
Any advise will be much appreciated
Thanks in advance!
答案1
得分: 0
如果存储使用“从选定的虚拟网络和 IP 地址启用”
您可以在连接到表存储时为逻辑应用添加防火墙例外,使用系统分配的身份:
所以首先,您需要为逻辑应用创建一个托管的身份:
然后创建一个角色分配(RBAC)以允许逻辑应用连接到存储帐户:
然后从您的逻辑应用中,您可以使用表存储连接器:
并显然,测试它是否正常工作 
英文:
If the storage uses Enabled from selected virtual networks and IP addresses
You can add firewall exception for your logic app when connecting to table storage using a system-assigned identity:
So first, you need to create a managed identity for your logic app:
Then create a role assignment (RBAC) to allow the logic app to connect to the storage account:
Then from your logic app, you can use the table storage connector:
And obviously, test that it is working fine
答案2
得分: 0
对于遇到类似问题的人,有两件事我忽略了:
- 一个是要使用由逻辑应用中存在并具有适当角色分配的托管标识进行身份验证的连接
- 另一件不太明显的事情是,在逻辑应用实现中必须使用V2组件来访问表存储
值得一提的是,如果您已经将KeyVault连接到了逻辑应用所访问的VNET,解决此问题的方法是将出站IP地址列表添加到KeyVault的网络菜单中的防火墙规则中,如此处所示。
英文:
For those having a similar issue, there are two things I missed:
- One is to use a connection authenticated using the Managed Identity that must exist in the Logic App and have the appropriate role assignment
- Another thing less obvious is that V2 components must be used to access table storage in the Logic App implementation
For what it's worth, if you already have a KeyVault connected to the VNET that is accessed by the Logic Apps the solution for this would be to add the list of Outgoing IP addresses to the firewall rules in the KeyVault's Networking menu as indicated here
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论