Accessing Storage Account from VNET

In Azure, we can create Storage Account which is having a default Public URL.  Even though Credential Protection is there – Still it is exposed to Public Access.  This may cause issues with Enterprise Customers.

In this post we can see how to protect the Storage Account by preventing Public Access & Only allowing Access from VNET.

Pre-Requisites

For our experiment please create the following resources in same region:

• App Service
• Virtual Network (VNET)
• Add a new Subnet named Frontend
• Storage Account
• Create a container named “my-blobs”
• Upload a blob named readme.txt into the container

Create Sample Application

Create an Web API Sample Application which Reads data from a Blob Storage using code below.

Add namespaces Microsoft.Azure.Storage.Blob, Azure.Storage.Blob packages.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using Azure.Storage.Blobs;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;

namespace jp_test_mvc.Controllers
{
     [ApiController]
     [Route(“[controller]”)]
     public class BlobController : ControllerBase
     {
         private readonly ILogger<WeatherForecastController> _logger;

        public BlobController(ILogger<WeatherForecastController> logger)
         {
             _logger = logger;
         }

        [HttpGet]
         public async string Get()
         {
             string result = string.Empty;

            try
             {
                 BlobServiceClient blobServiceClient = new BlobServiceClient(“connectionString”);
                 BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(“my-blobs”);
                 BlobClient blobClient = containerClient.GetBlobClient(“readme.txt”);

                var response = await blobClient.DownloadAsync();
                 using (var streamReader = new StreamReader(response.Value.Content))
                 {
                     while (!streamReader.EndOfStream)
                         result += await streamReader.ReadLineAsync();
                 }
             }
             catch (Exception ex)
             {
                 result = ex.ToString();
             }

            return result;
         }
     }
}

Test the Application

Test the application URL & You should get the following result.

https://localhost:44309/blob

Modify the Storage Account Settings

Now go to the Storage Account > Firewall settings & Change the option to Selected Network option.  Save changes.

Test the application now & You should get the Exception below.

Add the VNET

Go to App Service > Networking > Configure VNET > Select Frontend Subnet

Go to Storage Account > Firewall > Add existing Virtual Network > Select Frontend

Test Again

Save Changes & Test Again

Now you should get the Contents of the Blob back as shown below.