Azure Standard Logic App with Secured (Private) Storage Account

When you create a logic app of type standard, it runs in a single-tenant environment. Meaning, the logic app runs in a single dedicated instance. The standard Logic is hosted as an extension on Azure Functions runtime. This means you can run logic apps anywhere that Azure Functions runs. Also, you can apply any network topology and choose any available compute size. This also requires Storage Account to be associated with it. The Storage account hosts the content needed for the logic app to be up and running.

Due to the increase in security and policies many organizations want Storage Accounts to be secured behind the network. In this blog, we will see how to create a stand logic app with a storage account secured with VENT or private endpoints.

STEP 1: Create a Standard Logic App and Virtual Network

1. Create a standard logic app (this creates App Service Plan and Storage Account).
2. By default, the storage account is publicly accessible over the internet.

   

3. Storage Account File Share contains the site content needed for the logic app to be up and running

   

4. Create a simple test workflow

   

5. Create a subnet ‘subnet-lg’ in the VNET. We will restrict traffic to this subnet

   

STEP 2: Secure the Storage Account Access to Virtual Network

1. Restrict the storage account access only from ‘subnet-lg’

   

2. As soon as we restrict the storage account access, the logic app instance throws the error. It can’t reach the storage account.

   

3. It can’t even retrieve the work flow we created.

   

STEP 3: Restrict Standard Logic App Outbound Traffic

1. Configure logic app for the outbound traffic via ‘subnet-lg’

   

   

STEP 4: Add Application Settings

Go to Logic App application settings and add below two settings

WEBSITE_VNET_ROUTE_ALL to 1

WEBSITE_CONTENTOVERVNET to 1

After all these setups, if you go back to the logic app, the error should go away and the test workflow will appear again