Interacting with Azure storage accounts via Azure CLI
In some CI/CD deployments, we needed to upload files to a storage account on Azure, which resulted in some interesting storage account behavior.
1. Prerequisites for this experiment:
- Two Azure storage accounts in two different regions
- Azure resource with Azure CLI installed
2. In our example we will be using:
- Azure storage account in West Europe
- Azure storage account in France Central
- Azure Kubernetes service and Azure VM in West Europe
When we send a request via Azure CLI to upload files to a storage account that is in the same region as our Azure resource
If the storage account has an IP whitelist, even when whitelisting our Azure resource public outbound IP.
Our request is unauthorized.
When enabling access from all networks our request succeeds.
When changing storage account to the one in France Central, our request succeeds with and without IP filtering.
From the little experiment above we can conclude that our Azure resource located in the same region as the target storage account isn’t somehow using its public IP for the storage account requests. It turns out that when resources are in the same region in Azure as the target storage account, they will use a private IP to reach it.