Standard LogicApp is powered by new Azure single-tenant LogicApp runtime. Single-tenant Logic App offering runs as an extension on top of Azure Function runtime. Like Azure Functions, the standard Logic App leverages storage account services such as blob, File Share, Queue and Table for various purposes. For instance, the website content is stored in File Share which will be accessed by Logic App site for up and running. You can refer to this blog to understand how the storage services are leveraged in standard Logic App.
In this article, we will see how to access the Storage account services on secured network using Service endpoints (or) Private Endpoints from Standard Logic App.
By default, the portal creation experience of the Logic Apps expects the storage account must be accessible on public endpoint. Let us explore the below options on how to access the storage account over a secured network.
S.No |
Configuration Setting |
Value |
Comments |
Mandatory |
1 |
WEBSITE_VNET_ROUTE_ALL (Legacy Setting and have new toggle button 'Route All' in networking tab) |
1 |
It is legacy setting to route all outbound traffic through integrated subnet.
There is new Route all toggle button available in the VNET integration blade. You can use either of these.
If you don't set either of above and have VNET integration only private traffic will be going through your subnet and remaining will be through internet. |
Yes |
2 |
WEBSITE_DNS_SERVER |
168.63.129.16 (or) Custom DNS server IP Address |
It is to enforce Logic App to use specific DNS server. If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET. |
No |
3 |
WEBSITE_CONTENTOVERVNET |
1 |
It enables Logic App resource to access the website content over VNET traffic i.e. on SE or PE’s. |
Yes |
4 |
WEBSITE_DNS_ALT_SERVER |
Alternate DNS server IP address |
It is to enforce Logic App to use specific DNS server while WEBSITE_DNS_SERVER unable to resolve.
If its required you can set or else Logic App will use whatever the DNS servers configured on the integrated VNET. |
No |
You can overcome the issue of exposing the storage account to public internet with the portal creation experience using ARM template deployment. With ARM deployment, you no need to open it for all Networks and can be deployed directly with Service endpoints or Private Endpoints.
If you would like to deploy Standard Logic App to secure storage account from automated tools such as DevOps using ARM templates. You can refer to the sample templates available in the below Git-Hub.
Below GIF's provides a glimpse on how to configure the Logic App to access storage account using Service or Private endpoints.
Note: vnetRouteAllEnabled app setting is replaces, overrides and takes precedence over the legacy setting WEBSITE_VNET_ROUTE_ALL.
We generally observe the below common errors when deployment storage account is behind firewall which indicates that Logic App is unable to access the storage account services.
System.Private.CoreLib: Access to the path 'C:\\home\\site\\wwwroot\\host.json' is denied.
{"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime.","Target":null,"Details": [{"Message":"Encountered an error (ServiceUnavailable) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity": {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime."}}],"Innererror":null}
We can’t troubleshoot the above common errors from the kudu console as the Logic App site itself isn’t up or working . You can use the below to troubleshoot the access to the storage account services.
nslookup [StorageaccountHostName] [OptionalDNSServer]
Verify for all storage services:
nslookup {StorageaccountName}.blob.core.windows.net
nslookup {StorageaccountName}.file.core.windows.net
nslookup {StorageaccountName}.queue.core.windows.net
nslookup {StorageaccountName}.table.core.windows.net
psping [StorageaccountHostName] [Port] [OptionalDNSServer]
Verify for all storage services:
psping {StorageaccountName}.blob.core.windows.net:443
psping {StorageaccountName}.file.core.windows.net:443
psping {StorageaccountName}.queue.core.windows.net:443
psping {StorageaccountName}.table.core.windows.net:443
References: You may refer to the below blogs for deep dive into Standard Logic App runtime and deployment using DevOps.
Azure Logic Apps Running Anywhere – Runtime Deep Dive (microsoft.com)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.