403
cloud
auth_error
ai_generated
true
403 This request is not authorized to perform this operation using this network.
ID: cloud/azure-storage-account-firewall-ip-mismatch
90%Fix Rate
88%Confidence
1Evidence
2023-11-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Azure Storage REST API 2021-02-12 | active | — | — | — |
| Azure SDK for .NET 12.x | active | — | — | — |
| Azure CLI 2.56 | active | — | — | — |
Root Cause
Azure Storage account firewall rules block the request because the source IP is not in the allowed list, or the request is from a virtual network that is not configured in the firewall.
generic中文
Azure存储帐户防火墙规则阻止了请求,因为源IP不在允许列表中,或者请求来自未在防火墙中配置的虚拟网络。
Official Documentation
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-securityWorkarounds
-
90% success Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules <client-public-ip>`. Verify client IP: `curl ifconfig.me`.
Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules <client-public-ip>`. Verify client IP: `curl ifconfig.me`.
-
95% success If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.
If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.
中文步骤
Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules <client-public-ip>`. Verify client IP: `curl ifconfig.me`.
If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.
Dead Ends
Common approaches that don't work:
-
70% fail
If the request goes through a proxy or VPN, the source IP seen by Azure Storage may be the proxy/VPN IP, not the client's public IP.
-
50% fail
While it resolves the immediate error, it exposes the storage account to the internet and violates security best practices.
-
85% fail
SAS token IP restrictions are independent of firewall rules; both must allow the request.