Blob Storage 403 unauthorized

Question

We have multiple backend APIs hosted on Azure web app under same plan. All APIs have same outbound ips, and all these APIs enabled access restriction, these APIs only accessible within the api gateway. We have blob storage, we have also enable restriction on it (Networking Enabled from selected virtual networks and IP addresses  Firewall, added all APIs ips on it), Now when APIs going to fetch some image from blob it throw following error,

Azure.RequestFailedException: This request is not authorized to perform this operation.
RequestId:0bc5827d-c01e-0030-382f-929e61000000
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:0bc5827d-c01e-0030-382f-929e61000000
Time:2023-05-29T13:11:56.0013545Z</Message></Error

Point to be noted that both APIs and blob are not using vNet, and both are on same resource group and using the same Identity but when we remove network restriction on storage account it works fine

Answer 1

I tried the same in my environment and got the same error like below:

HTTP/1.1 403 This request is not authorized to perform this operation.
content-length: 246
content-type: application/xml
date: Wed, 31 May 2023 12:19:02 GMT
request-context: appId=cid-v1:fd69b195-73bf-4983-8e10-20874ab6fd70
vary: Origin
x-ms-error-code: AuthorizationFailure
x-ms-request-id: 0482fe63-001e-0005-0cba-93338e000000

Added App service Access Restrictions to Ip address or virtual network like below:

In storage account firewall added Ip address like below:

Make sure in Exceptions allow azure service on the trusted service list to access this storage account

Turn on managed identity in APIM. Assign Storage Blob Data Contributor role to Azure APIM service principal under storage container.

Now access restriction in App service and allow only the required Ip and same for storage account it executed successfully like below:

HTTP/1.1 200 OK
accept-ranges: bytes
content-length: 534283
content-md5: Fq04hjyWtblQ0ljt0ObAeQ==
content-type: image/png
date: Wed, 31 May 2023 12:56:56 GMT
etag: "0x8DB61A69A90XXX"
last-modified: Wed, 31 May 2023 07:13:58 GMT
request-context: appId=cid-v1:fd69b195-73bf-4983-8e10-20874ab6fd70
vary: Origin
x-ms-blob-type: BlockBlob
x-ms-creation-time: Wed, 31 May 2023 07:13:58 GMT
x-ms-lease-state: available
x-ms-lease-status: unlocked
x-ms-request-id: 8c7194fc-601e-0061-04bf-XXXXXXX
x-ms-server-encrypted: true
x-ms-version: 2017-11-09

Reference:

Secure Azure Blob Storage with Azure API Management & Managed Identities | by Marcus Tee | Marcus Tee Anytime | Medium by Marcus Tee