Azure - Configuring authentication to a blob storage in an Azure Storage Account from an Application Gateway

Question

I have configured an Application Gateway with an Azure Storage Account blob as a backend target in a Backend Pool.

This enables public access to the contents of the blob storage via the App Gateway. However, when Blob anonymous access is disabled the health probe is receiving a 409 error (PublicAccessNotPermitted).

To resolve this issue I've assigned Storage Blob Data Reader permissions to the Managed Identity of the Application Gateway.

Unfortunately this hasn't resolved the issue. Is there a way for the Application Gateway to successfully authenticate with the Storage Account?

If not it seems the only other option would be to create a Static Website on the Storage Account.

Answer 1

Azure - Configuring authentication to a blob storage in an Azure Storage Account from an Application Gateway.

Azure Application Gateway does not support managed identities for accessing Azure Storage Accounts with authentication; it only supports managed identities for Azure Key Vault.

To access an Azure Storage Account from an Application Gateway's public IP, ensure that your storage is accessible over the public network. It is not possible to access the storage account authorized by using Managed Identity from the Application Gateway.

Once I enable public access to the storage account, I will be able to access it from the application gateway.

Reference: Manage application identities securely and automatically