403
cloud
auth_error
ai_generated
true
403 此请求未被授权使用此网络执行此操作。
403 This request is not authorized to perform this operation using this network.
ID: cloud/azure-storage-account-firewall-ip-mismatch
90%修复率
88%置信度
1证据数
2023-11-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Azure Storage REST API 2021-02-12 | active | — | — | — |
| Azure SDK for .NET 12.x | active | — | — | — |
| Azure CLI 2.56 | active | — | — | — |
根因分析
Azure存储帐户防火墙规则阻止了请求,因为源IP不在允许列表中,或者请求来自未在防火墙中配置的虚拟网络。
English
Azure Storage account firewall rules block the request because the source IP is not in the allowed list, or the request is from a virtual network that is not configured in the firewall.
官方文档
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security解决方案
-
Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules <client-public-ip>`. Verify client IP: `curl ifconfig.me`.
-
If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.
无效尝试
常见但无效的做法:
-
70% 失败
If the request goes through a proxy or VPN, the source IP seen by Azure Storage may be the proxy/VPN IP, not the client's public IP.
-
50% 失败
While it resolves the immediate error, it exposes the storage account to the internet and violates security best practices.
-
85% 失败
SAS token IP restrictions are independent of firewall rules; both must allow the request.