We are trying to create a Logic App (Standard) but the associated Storage Account creation is blocked, due to the above Company Policy (our customer); rather than trying to get the Policy changed, we tried to create a Storage Account first, then use that in the Logic App, which is certainly possible. But - so far - any Storage Account that we could create (i.e. without Policy violations) was not accessible to the Logic App. Since both the Storage Account and the Logic App are in the same Azure Tenant, the Storage Account need be accessible only to the Logic App i.e. presumably does not need Public Access. Perhaps we need to use something like a Private Endpoint? Help appreciated.
3
There are 3 answers
0
On
We sought help from Microsoft on this one; brief details
- It was not possible to create a Storage Account with Public Access, due to a (customer) Policy - which could not be changed
- An attempt to create a Logic App failed, as it cannot access a Storage Account without Public Access - a Catch-22
- This is: acknowledged by Microsoft; as stated there, it is necessary to use an ARM
- However, that was not the only issue; the initial ARM deployment also failed, and a second - custom - ARM was needed
The upshot is that we now have a working Logic App, but it is a somewhat "fragile" solution, as we could not port it to another, similar, Tenant, with any confidence i.e. would need help again ...
But I would have to commend Microsoft Support - they got us over the line ...
0
On
Please follow this guidance to deploy the Logic App with Storage Account successfully into the environment: https://learn.microsoft.com/en-us/azure/logic-apps/deploy-single-tenant-logic-apps-private-storage-account#deploy-using-an-azure-resource-manager-template
You will have to ensure the following:
- Private endpoints for storage account are created beforehand.
- Set following application settings in Logic App to
1:WEBSITE_CONTENTOVERVNETandWEBSITE_VNET_ROUTE_ALL
AFAIK, It is impossible to connect without policy violations even though the logic apps and storage account are under same tenant.
You need to change the access as to enable all:
Or else you need to add IP addresses of Logic app connectors to azure blob storage as below:
Then add the Ip addresses in the address range: