# 403 此请求未被授权使用此网络执行此操作。

- **ID:** `cloud/azure-storage-account-firewall-ip-mismatch`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `403`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

Azure存储帐户防火墙规则阻止了请求，因为源IP不在允许列表中，或者请求来自未在防火墙中配置的虚拟网络。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Azure Storage REST API 2021-02-12 | active | — | — |
| Azure SDK for .NET 12.x | active | — | — |
| Azure CLI 2.56 | active | — | — |

## 解决方案

1. ```
   Add the client's public IP to the storage account firewall: `az storage account update --name mystorageaccount --resource-group myrg --default-action Deny --add ip-rules <client-public-ip>`. Verify client IP: `curl ifconfig.me`.
   ```
2. ```
   If using Azure Functions or App Service, enable VNet integration and add the subnet to the storage firewall: `az storage account network-rule add --resource-group myrg --account-name mystorageaccount --subnet /subscriptions/.../subnets/mysubnet`.
   ```

## 无效尝试

- **** — If the request goes through a proxy or VPN, the source IP seen by Azure Storage may be the proxy/VPN IP, not the client's public IP. (70% 失败率)
- **** — While it resolves the immediate error, it exposes the storage account to the internet and violates security best practices. (50% 失败率)
- **** — SAS token IP restrictions are independent of firewall rules; both must allow the request. (85% 失败率)