# 403 This request is not authorized to perform this operation using this network. - **ID:** `cloud/azure-storage-account-firewall-ip-mismatch` - **Domain:** cloud - **Category:** auth_error - **Error Code:** `403` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause Azure Storage account firewall rules block the request because the source IP is not in the allowed list, or the request is from a virtual network that is not configured in the firewall. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Azure Storage REST API 2021-02-12 | active | — | — | | Azure SDK for .NET 12.x | active | — | — | | Azure CLI 2.56 | active | — | — | ## Workarounds 1. **Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules `. Verify client IP: `curl ifconfig.me`.** (90% success) ``` Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules `. Verify client IP: `curl ifconfig.me`. ``` 2. **If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.** (95% success) ``` If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`. ``` ## Dead Ends - **** — If the request goes through a proxy or VPN, the source IP seen by Azure Storage may be the proxy/VPN IP, not the client's public IP. (70% fail) - **** — While it resolves the immediate error, it exposes the storage account to the internet and violates security best practices. (50% fail) - **** — SAS token IP restrictions are independent of firewall rules; both must allow the request. (85% fail)