3

We have multiple backend APIs hosted on Azure web app under same plan. All APIs have same outbound ips, and all these APIs enabled access restriction, these APIs only accessible within the api gateway. We have blob storage, we have also enable restriction on it (Networking Enabled from selected virtual networks and IP addresses  Firewall, added all APIs ips on it), Now when APIs going to fetch some image from blob it throw following error,

Azure.RequestFailedException: This request is not authorized to perform this operation.
RequestId:0bc5827d-c01e-0030-382f-929e61000000
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:0bc5827d-c01e-0030-382f-929e61000000
Time:2023-05-29T13:11:56.0013545Z</Message></Error

Point to be noted that both APIs and blob are not using vNet, and both are on same resource group and using the same Identity but when we remove network restriction on storage account it works fine

Imran
  • 3,875
  • 2
  • 3
  • 12
Nauman Kyani
  • 81
  • 5

1 Answers1

1

I tried the same in my environment and got the same error like below:

HTTP/1.1 403 This request is not authorized to perform this operation.
content-length: 246
content-type: application/xml
date: Wed, 31 May 2023 12:19:02 GMT
request-context: appId=cid-v1:fd69b195-73bf-4983-8e10-20874ab6fd70
vary: Origin
x-ms-error-code: AuthorizationFailure
x-ms-request-id: 0482fe63-001e-0005-0cba-93338e000000

![enter image description here](https://i.imgur.com/K48CoeH.png)

Added App service Access Restrictions to Ip address or virtual network like below:

enter image description here

In storage account firewall added Ip address like below:

enter image description here

Make sure in Exceptions allow azure service on the trusted service list to access this storage account
enter image description here

Turn on managed identity in APIM. Assign Storage Blob Data Contributor role to Azure APIM service principal under storage container.

enter image description here

Now access restriction in App service and allow only the required Ip and same for storage account it executed successfully like below:

HTTP/1.1 200 OK
accept-ranges: bytes
content-length: 534283
content-md5: Fq04hjyWtblQ0ljt0ObAeQ==
content-type: image/png
date: Wed, 31 May 2023 12:56:56 GMT
etag: "0x8DB61A69A90XXX"
last-modified: Wed, 31 May 2023 07:13:58 GMT
request-context: appId=cid-v1:fd69b195-73bf-4983-8e10-20874ab6fd70
vary: Origin
x-ms-blob-type: BlockBlob
x-ms-creation-time: Wed, 31 May 2023 07:13:58 GMT
x-ms-lease-state: available
x-ms-lease-status: unlocked
x-ms-request-id: 8c7194fc-601e-0061-04bf-XXXXXXX
x-ms-server-encrypted: true
x-ms-version: 2017-11-09

enter image description here

Reference:

Secure Azure Blob Storage with Azure API Management & Managed Identities | by Marcus Tee | Marcus Tee Anytime | Medium by Marcus Tee

Imran
  • 3,875
  • 2
  • 3
  • 12
  • applied above procedure but same result 403, I have given the outbound ips of APIs in blob storage, and both are deployed on same region, I think apis communicate to blob storage with private ips thats why apis not able to communicate with blob. is this the region? – Saad Awan Jun 01 '23 at 06:50