Monday, August 9, 2021

Deploying Standard Logic App to Storage Account behind Firewall using Service or Private Endpoints

Standard LogicApp is powered by new Azure single-tenant LogicApp runtime. Single-tenant Logic App offering runs as an extension on top of Azure Function runtime. Like Azure Functions, the standard Logic App leverages storage account services such as blob, File Share, Queue and Table for various purposes. For instance, the website content is stored in File Share which will be accessed by Logic App site for up and running. You can refer to this blog to understand how the storage services are leveraged in standard Logic App.


In this article, we will see how to access the Storage account services on secured network using Service endpoints (or) Private Endpoints from Standard Logic App.


By default, the portal creation experience of the Logic Apps expects the storage account must be accessible on public endpoint.  Let us explore the below options on how to access the storage account over a secured network.


Deploy Logic App standard resource having secured access to Storage account using Portal:


  • Storage account need to be accessible on Public Endpoint i.e. Network access set to 'All Networks'.
  • Create a Logic App resource, selecting the above created storage account during Logic App creation process.
  • Enable the Service Endpoint or Private Endpoints (for all services i.e. blob, table, file, queue) on the storage account.
  • Enable the VNET integration for Logic App resource with respective VNET and subnet have access to Storage account on Service Endpoint (SE) or Private Endpoints (PE).
  • Set the below configuration settings (app settings) to access the storage on SE or PE’s.                     


Configuration Setting






It routes all outbound traffic from LogicApp resource via integration VNET and Subnet.




     Custom DNS server  IP Address

It is used for resolving all host names to Ips. You can set either default Azure DNS IP or Custom DNS IP address.




It enables Logic App resource to access the website content over VNET traffic i.e. on SE or PE’s.



    Alternate DNS        server IP address

IP address of fallback DNS server for outgoing connections while WEBSITE_DNS_SERVER unable to resolve.


  • No need to restart the Logic App site when you update any app settings or adding new workflows, Logic App gracefully restarts in an incremental mode without impacting any existing runs. However, it isn't suggested to make changes when there are any in-process transactions.


Deploy Logic App standard resource having secured access to Storage account using automated deployment tools:


You can overcome the issue of exposing the storage account to public internet with the portal creation experience using ARM template deployment. With ARM deployment, you no need to open it for all Networks and can be deployed directly with Service endpoints or Private Endpoints.


 If you would like to deploy Standard Logic App to secure storage account from automated tools such as DevOps using ARM templates.   You can refer to the sample templates available in the below Git-Hub.

VeeraMS/LogicApp-deployment-with-Secure-Storage: Deploying Logic App standard resource with Storage account having Private endpoints (


Below GIF's provides a glimpse on how to configure the Logic App to access storage account using Service or Private endpoints.


Access over Storage Service Endpoint:




 Access over Storage Private Endpoints:




Note: vnetRouteAllEnabled app setting is replaces, overrides and takes precedence over the legacy setting WEBSITE_VNET_ROUTE_ALL.


Common Errors when Storage account is behind Firewall:


We generally observe the below common errors when deployment storage account is behind firewall which indicates that Logic App is unable to access the storage account services.


  • Access to host.json is denied:

System.Private.CoreLib: Access to the path 'C:\\home\\site\\wwwroot\\host.json' is denied.



  • Unable to load workflows in Logic App:

     You may observe that workflows are not visible in the Logic App while Storage access is changed to selected networks or Private Endpoints. You can check the browser logs and it may show below error.
 {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime.","Target":null,"Details":       [{"Message":"Encountered an error (ServiceUnavailable) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":                       {"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime."}}],"Innererror":null}


Troubleshooting common errors:


We can’t troubleshoot the above common errors from the kudu console as the Logic App site itself isn’t up or working . You can use the below to troubleshoot the access to the storage account services.


  • Create an Azure VM with in the same Logic App integrated VNET, it can be a different subnet.
  • The simpler test can be accessing the Storage account services using the Storage explorer tool. If any issues in connectivity using this tool, continue with the below steps.
  • Check nslookup in the command prompt and make sure that the storage services are resolvable to intended IP addresses. If its on Service Endpoint, it should resolve to Public IP and if it has Private Endpoints, verify all services are resolvable to respective NIC private IP addresses. 
            nslookup [StorageaccountHostName] [OptionalDNSServer]


          Verify for all storage services:

                           nslookup {StorageaccountName}

                           nslookup {StorageaccountName}

                           nslookup {StorageaccountName}

                           nslookup {StorageaccountName}



  • If the DNS queries are resolvable, we can check psping or tcpping to storage account over 443 port.
                 psping [StorageaccountHostName] [Port] [OptionalDNSServer]


         Verify for all storage services:

                         psping {StorageaccountName}

                         psping {StorageaccountName}

                         psping {StorageaccountName}

                         psping {StorageaccountName}


  • If it is resolvable from Azure VM, we can check the DNS server is used for resolution in VM and set the same in the Logic App WEBSITE_DNS_SERVER setting and verify. Also, make sure that VNET integration is done with the appropriate VNET and subnet in Logic App.


References: You may refer to the below blogs for deep dive into Standard Logic App runtime and deployment using DevOps.

Azure Logic Apps Running Anywhere – Runtime Deep Dive (

Deploying an Azure Logic Apps Standard workflow through Azure DevOps Pipeline - Microsoft Tech Community


Posted at