Standard LogicApp is powered by new Azure single-tenant LogicApp runtime. Single-tenant Logic App offering runs as an extension on top of Azure Function runtime. Like Azure Functions, the standard Logic App leverages storage account services such as blob, File Share, Queue and Table for various purposes. For instance, the website content is stored in File Share which will be accessed by Logic App site for up and running. You can refer to this blog to understand how the storage services are leveraged in standard Logic App.
In this article, we will see how to access the Storage account services on secured network using Service endpoints (or) Private Endpoints from Standard Logic App.
By default, the portal creation experience of the Logic Apps expects the storage account must be accessible on public endpoint. Let us explore the below options on how to access the storage account over a secured network.
Deploy Logic App standard resource having secured access to Storage account using Portal:
- Storage account need to be accessible on Public Endpoint i.e. Network access set to 'All Networks'.
- Create a Logic App resource, selecting the above created storage account during Logic App creation process.
- Enable the Service Endpoint or Private Endpoints (for all services i.e. blob, table, file, queue) on the storage account.
- Enable the VNET integration for Logic App resource with respective VNET and subnet have access to Storage account on Service Endpoint (SE) or Private Endpoints (PE).
- Set the below configuration settings (app settings) to access the storage on SE or PE’s.
|
S.No |
Configuration Setting |
Value |
Comments |
Mandatory |
|
1 |
WEBSITE_VNET_ROUTE_ALL (Legacy Setting and have new toggle button 'Route All' in networking tab) |
1 |
It is legacy setting to route all outbound traffic through integrated subnet.
There is new Route all toggle button available in the VNET integration blade. You can use either of these.
If you don't set either of above and have VNET integration only private traffic will be going through your subnet and remaining will be through internet. |
Yes |
|
2 |
WEBSITE_DNS_SERVER |
168.63.129.16 (or) Custom DNS server IP Address |
It is to enforce Logic App to use specific DNS server. If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET. |
No |
|
3 |
WEBSITE_CONTENTOVERVNET |
1 |
It enables Logic App resource to access the website content over VNET traffic i.e. on SE or PE’s. |
Yes |
|
4 |
WEBSITE_DNS_ALT_SERVER |
Alternate DNS server IP address |
It is to enforce Logic App to use specific DNS server while WEBSITE_DNS_SERVER unable to resolve.
If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET. |
No |
- No need to restart the Logic App site when you update any app settings or adding new workflows, Logic App gracefully restarts in an incremental mode without impacting any existing runs. However, it isn't suggested to make changes when there are any in-process transactions.
- Change the storage account network settings to selected networks
- Logic App may experience some interruption as the connectivity switch between public and private endpoints may take some time and you may not see workflows for sometime. You may restart the Logic App and wait for few mins and check whether workflows are loading or not.
Deploy Logic App standard resource having secured access to Storage account using automated deployment tools:
You can overcome the issue of exposing the storage account to public internet with the portal creation experience using ARM template deployment. With ARM deployment, you no need to open it for all Networks and can be deployed directly with Service endpoints or Private Endpoints.
If you would like to deploy Standard Logic App to secure storage account from automated tools such as DevOps using ARM templates. You can refer to the sample templates available in the below Git-Hub.
Below GIF's provides a glimpse on how to configure the Logic App to access storage account using Service or Private endpoints.
Access over Storage Service Endpoint:
Access over Storage Private Endpoints:
Note: vnetRouteAllEnabled app setting is replaces, overrides and takes precedence over the legacy setting WEBSITE_VNET_ROUTE_ALL.
Common Errors when Storage account is behind Firewall:
We generally observe the below common errors when deployment storage account is behind firewall which indicates that Logic App is unable to access the storage account services.
-
Access to host.json is denied:
System.Private.CoreLib: Access to the path 'C:\\home\\site\\wwwroot\\host.json' is denied.
-
Unable to load workflows in Logic App:
You may observe that workflows are not visible in the Logic App while Storage access is changed to selected networks or Private Endpoints. You can check the browser logs and it may show below error.
{"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime.","Target":null,"Details": [{"Message":"Encountered an error (ServiceUnavailable) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity": {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime."}}],"Innererror":null}
Troubleshooting common errors:
We can’t troubleshoot the above common errors from the kudu console as the Logic App site itself isn’t up or working . You can use the below to troubleshoot the access to the storage account services.
- Create an Azure VM with in the same Logic App integrated VNET, it can be a different subnet.
- The simpler test can be accessing the Storage account services using the Storage explorer tool. If any issues in connectivity using this tool, continue with the below steps.
- Check nslookup in the command prompt and make sure that the storage services are resolvable to intended IP addresses. If its on Service Endpoint, it should resolve to Public IP and if it has Private Endpoints, verify all services are resolvable to respective NIC private IP addresses.
nslookup [StorageaccountHostName] [OptionalDNSServer]
Verify for all storage services:
nslookup {StorageaccountName}.blob.core.windows.net
nslookup {StorageaccountName}.file.core.windows.net
nslookup {StorageaccountName}.queue.core.windows.net
nslookup {StorageaccountName}.table.core.windows.net
- If the DNS queries are resolvable, we can check psping or tcpping to storage account over 443 port.
psping [StorageaccountHostName] [Port] [OptionalDNSServer]
Verify for all storage services:
psping {StorageaccountName}.blob.core.windows.net:443
psping {StorageaccountName}.file.core.windows.net:443
psping {StorageaccountName}.queue.core.windows.net:443
psping {StorageaccountName}.table.core.windows.net:443
- If it is resolvable from Azure VM, we can check the DNS server is used for resolution in VM and set the same in the Logic App WEBSITE_DNS_SERVER setting and verify. Also, make sure that VNET integration is done with the appropriate VNET and subnet in Logic App.
References: You may refer to the below blogs for deep dive into Standard Logic App runtime and deployment using DevOps.
Azure Logic Apps Running Anywhere – Runtime Deep Dive (microsoft.com)