403 error for accessing blobs when using user assigned Identity with allow selected network and IP settings

Question

HI Team,

i have written code to create user delegation sas uri which is able to access blobs only when settings is below
Network->Allow all public access.
but i want to use allow selected network and IP address. as a part of security KPI, i do not want to use access key or storage account key.
please suggest.

below is my code

BlobClient blobClient = blobServiceClient

.GetBlobContainerClient("development")

.GetBlobClient(StorageHelper.GetTopStorageFolder(p) + "/" + thumbFileName);

Uri blobSASURI = await StorageHelper.CreateUserDelegationSASBlob(blobClient, delegationKey);

// Create a blob client object with SAS authorization

BlobClient blobClientSAS = new BlobClient(blobSASURI);

p.ThumbnailImage = blobSASURI.AbsoluteUri.ToString();

Answer 1

Hi @Amit Thore,

To meet the security KPI requirements of limiting access to specific networks or IP addresses and avoiding the use of access keys or storage account keys, you can configure a User Delegation SAS (Shared Access Signature) to work with the network rules for selected networks.

Please follow the below steps:

1. Configure Storage Account Firewalls and Virtual Networks:

First, you need to configure the network settings on your Azure Storage account to allow access only from selected networks or IP addresses. This is done in the Azure Portal.

• Go to your Storage Account.
• Navigate to Networking > Firewalls and virtual networks.
• Choose Selected networks.
• Add the IP ranges or Virtual Network/Subnet you wish to allow.

2. Generate User Delegation SAS Token with IP Restrictions:

Ensure that the SAS token includes the necessary permissions and restrictions for accessing blobs.

The restrictions must be applied at two levels:

1. Network-level restrictions in the storage account (only allow access from certain IPs or networks).
2. IP-range restrictions directly in the SAS token.

3. Verify the Network Restrictions:

Make sure that the storage account network settings permit traffic only from the specified IP ranges or VNets. You can verify that the SAS URI functions correctly by testing it from both an allowed IP and a non-allowed IP.

The updated version of your code that creates a User Delegation SAS and applies network-level restrictions based on specific IP ranges:

using Azure.Storage.Blobs;
using Azure.Storage.Sas;
using System;
using System.Net;
public async Task GenerateSASWithNetworkRestrictions(string containerName, string blobName, string delegationKey)
{
    BlobClient blobClient =    blobServiceClient.GetBlobContainerClient(containerName).GetBlobClient(blobName);
    IPAddressRange allowedIpRange = new IPAddressRange("192.168.1.1", "192.168.1.255"); // Example IP range
    BlobSasBuilder sasBuilder = new BlobSasBuilder
    {
        BlobContainerName = containerName,
        BlobName = blobName,
        Resource = "b",
        StartsOn = DateTimeOffset.UtcNow,
        ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
    };
    sasBuilder.SetPermissions(BlobSasPermissions.Read);
    sasBuilder.IPRange = allowedIpRange;
    string sasToken = sasBuilder.ToSasQueryParameters(delegationKey).ToString();
    Uri blobSASURI = new Uri(blobClient.Uri.ToString() + "?" + sasToken);
    Console.WriteLine($"Generated SAS URI: {blobSASURI.AbsoluteUri}");
}

Please let us know if you have any further queries. I’m happy to assist you further.

Please consider to “up-vote” and "accept the answer" wherever the information provided helps you, this can be beneficial to other community members.