Does anybody know how to connect to Azure blob storage using Logic App connectors and triggers? I don't want to grant public access on my storage account. It works fine if I allow public access but when I restrict the access to only selected IP's, it stops working and I am unable to connect to the storage account. I have attached the screenshot.
Asked
Active
Viewed 5,182 times
4
-
Did you make it work without using an ISE? – Oliver Nilsen Jun 05 '20 at 13:53
4 Answers
5
For this problem, I suggest you to use integrated service environment as Frank mentioned in his answer. But here I provide you with some more detail steps for your reference.
1. Create a virtual network and ensure it has at least 4 subnet, you can just do it by clicking the "Add new virtual network" button in your storage account "Firewalls and virtual networks" tab.
If you create the virtual network in your storage account "Firewalls and virtual networks", you need to go to the new virtual network and add three subnet to ensure it has at least 4 subnet (shown as below screenshot), and go back to your storage account "Firewall" tab, add the virtual network again (because it may missing after you add three subnets).
2. Then, we need to create an integration service environment, choose the virtual network which you created just now at the bottom of the creating page.
The creation will take a long time, it took me more than four hours to create the integration service environment.
3. After creating the ISE, we need to create the logic app and choose the ISE which we created when creating the logic app.
4. Wait about 20 minutes because the ISE will take some time to be ready even if it was created successfully. And then in your logic app, add the "Azure blob storage" connector with "ISE" icon.
5. Add the "create blob" action and it will ask you to create the connection, do creating the connection as before you did and it will generate a API connection in the same resource group of your logic app.
Wait a few minutes until you can click and open the API connection because this kind of API connection(with ISE) requires more time to be ready. Otherwise you will see some text like "can not find the api azureblob...." in your logic app "create blob" action.
6. Now we can see the items in storage in "create blob" action.
Hury Shen
- 14,948
- 1
- 9
- 18
-
I am getting the " The API 'azureblob' could not be found", even after waiting. Solution for that? – Atindra May 10 '20 at 20:51
-
Also the API connection is visible in my resource group but on the ISE page, the API connection tab is not opening and shows some error. – Atindra May 10 '20 at 21:25
-
Hi @atindra I just delete the api connection in the resource group and re-create the connection and wait a few minutes when I met the error message "The API 'azureblob' could not be found", then it works fine. Could you please also try to delete it and re-create the connection(please try it a few times). – Hury Shen May 11 '20 at 03:06
-
Sure, will do. Also I am using developer SKU, can that also be a reason for the error? – Atindra May 11 '20 at 10:53
-
Your solution works, but I should mention that using ISE is a very very expensive solution . if you only make it for Logic app. [link](https://azure.microsoft.com/en-us/pricing/details/logic-apps/) – mas Mar 26 '21 at 03:10
1
First, make sure you have allowed all of the relevant IP addresses. Find all the outbound addresses for your region here.
Second, I would point out that - as you can see on that page - all logic apps, regardless of tenant or subscription, uses the same outbound IP addresses. So while you do create a restriction by whitelisting only those, there is still a security gap that may or may not be acceptable to you.
You can also look into deploying your logic app into an integrated service environment, which integrates with a VNET to which you can also connect your storage account.
ChiefMcFrank
- 721
- 4
- 18
-
1I tried the approach of adding all IPs for West Europe where my Logic App resides and also my storage account. This unfortunately didn't work for me. I have a simple HTTP triggered LA which posts a message to a queue. This doesn't work when I choose Selected Networks in the firewall for the storage account and provide rules for all the Outbound IP adresses for that LA. It works if I set the firewall to "All networks". Is the only solution here to use an ISE for this small purpose? – Oliver Nilsen Jun 05 '20 at 13:52
-
@olivernilsen Sorry, I missed this bit of documentation before: https://learn.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-storage-accounts-behind-firewalls Based on that, I'm guessing your LA and storage account are in the same region. Would you be able to move one or the other to a different region? – ChiefMcFrank Jun 05 '20 at 22:15
-
@OliverNilsen the Integrated service environment (ISE) approach worked in my case, I was also unable to achieve the connectivity by whitelisting the IP addresses. – Atindra Nov 03 '20 at 18:01
0
It is also possible to connect to storage account from a Standard Logic App using a service endpoint or a private endpoint, which might be a better solution than using ISE, which is very expensive.
This article explains the challenges, and also how to setup the connectivity between a Standard Logic App and a storage account via service endpoint, and via private endpoint.
ccoutinho
- 3,308
- 5
- 39
- 47
0
No need of using ISE for small purpose, you can use Azure Event Grid for Trigger and HTTP to obtain the content of blob.
Please go through this video for more information -
https://www.youtube.com/watch?v=xVFmpszXmC0
Prashant Shete
- 60
- 10
-
Further to send an email as a attachment of blob, use O365 as a action and in the attachments section use Body of previous step. – Prashant Shete Jun 10 '22 at 05:56