1

I've set up a VNET with a point-to-site GW and two other subnets.

  • VNET
    • StorageSubnet (with service endpoint to storage)
    • GWSubnet (with service endpoint to storage)
    • noStorage

I've connected my web app to the VNET, but I get an exception when trying to list the blobs [1]. If I make the storage account publicly available everyting works as excpected.

To figure out where it fails I set up two small VMs on StorageSubnet and noStorage respectively. As excpected one works with Azure CLI listing blobs and the other fails. This way I was also able to view Effective Routes where the service endpoint appears.

Is there a way to view the Effective Routes on an app services instance? (my webapp)

The app service (my webapp) connects to the VNET not a subnet, is there something I'm missing, some manual routing needed? I'd excpect this to route just like my VM test.

Is there a way for me to run Azure CLI on the app service, or some other next step in debugging?

[1]

Microsoft.WindowsAzure.Storage.StorageException
at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.    <ExecuteAsyncInternal>d__4`1.MoveNext()
--- End of stack trace from previous location where exception was thrown     ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer.   <ListBlobsSegmentedAsync>d__61.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
user9685139
  • 11
  • 2

1 Answers1

0

This is an old issue.

For Azure Web App service VNET intergration,it gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). For details on using an ILB ASE, start with the article here: Creating and using an ILB ASE.

It means that with VNET intergration, you web app can connect the VNET from outside, but the web app is not inside the VNET.

So, the firewall for the storage account is just allow the traffic from the VNET, cannot allow the traffic outside the VNET.

For you scenario, one method is using ILB ASE. It can makes your web app into a VNET.

Wayne Yang
  • 468
  • 3
  • 9
  • "it gives your web app access to resources in your virtual network" makes me think that the required scenario would be possible. That piece of documentation is confusing/misleading in my opinion. – Augusto Barreto Jun 29 '18 at 23:34