We have an Azure Storage Account that we need to access from our company but it also needs to be accessible to one of our web apps in the same Resource group. This app is only visible to our company and some other apps that use some parts of it.
So the path looks something like this:
Storage account (Secured for App1 and our company) <= App1 (Secured for Other Apps and our company) <= Other apps (Publicly available)
My question is: How to secure/setup the storage account so the App1 can use it but it is still only available to our company without using VNET?
Currently there is only the exception for our company on the storage account. And the "Allow Azure services on the trusted services list to access this storage account." setting allowed which I read on some Technet thread that it should allow the access of resources in the same subscripition to the storage account which it unfortunatelly doesnt as Web Apps dont seem to be on the trusted list for some reason.
The App1 is .NET Framowork 4.8 connecting to the storage in the account via conenction string and is using a container inside it. When the Networking security is disabled everything is working properly.
So far I have tried the following:
- Allowing all the outbound address of App1 on the storage account FW
- Giving App1 an Identity and assigning it with the Storage Blob Data Contributor role on Subscription lvl per this manual https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp
Is there any option that could do the trick before we start messing with VNETs which should work?
