1

I have an Azure storage account with a blob endpoint of: 'mystorageaccountname.blob.core.windows.net', (and queues etc.). I want to choose a static IP Address, because some of my more zealous customers want to only allocate a known set of IP addresses through their firewall. I have already provided them with the list of Azure IP ranges for my Azure region, but they don't want to allocate such broad ranges.

1 Azure portal | Add new resource "Public IP Address", allows me to add a public static IP address for a virtual network gateway (VNG?). Can I re-route all traffic through a VNG to the approriate storage endpoints?

2: Azure API management could be configured with a public static IP, then adding a 'pass through' route.

Each client's app.config would need "AzureWebJobsStorage" updated to send requests through an API Management route for each endpoint type use the 'explicit storage endpoint connection string

3: Alternative to APIm: dotnet YARP as a reverse proxy hosted on an Azure WebApp and manage re-routing that way.

Also posted on the Azure Docs Questions forum and StackOverflow

OzBob
  • 111
  • 3

1 Answers1

0

You cannot assign a public IP directly to a storage account, they can only be referenced by name and a vNet gateway won't help with this. You could put a proxy in front of the storage account, such as App Gateway as you suggest and have it proxy all traffic through to the storage account, this would probably work. However it's a complex and expensive solution to a problem that should really be resolved by customers filtering on DNS name rather than IP, which most firewalls have been able to do for some time.

If your client is an Azure customer, with their own vNets you could also look at Private Endpoints which would allow them to connect the storage account to their vNet and access it over a private IP.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113