Restricting access to storage account containing package blob for cloud service (extended support) deployment

I'm nearly done migrating our cloud service (classic) deployments to cloud service (extended support). I'm working now on updating deployment pipelines. My package blob is located in a storage account. I create a SAS for the blob and use an API call to management.azure.com to create/update the deployment, passing ARM template as the body of the request.

This works correctly as long as the storage account with the package blob has its network set to "allow access from all networks". I want to restrict this access. I set the allow access from:

• specific IP addresses of our devops servers
• our own IP addresses
• private vnet/subnets for the cloud service

I also tick the "Allow Azure services on the trusted services list to access this storage account" checkbox.

Yet, API call fails with error message indicating access is not allowed to the blob. When I change the storage account network configuration to "allow access from all networks", everything works correctly.

With lots of searches, I found only one hit explaining the same problem - https://github.com/Azure/azure-powershell/issues/20299 - yet no solution has been suggested other than allowing access from all networks.

I must be missing some trick - but what is it? How can I restrict access to the storage account?

There are two things you can look at here:

1. Using the private IP's of your cloud service vNet won't work as the storage account only see's the public IP. By default your outbound public IP will be randomly assigned, but you can make this static by attaching a Nat Gateway to the vNet and then allowing the public IP of that gateway to storage firewall.

2. Alternatively you could also use a Private Endpoint to join the storage account to your vNet, this would then mean that the cloud service would access it over a private IP and would be allowed through the firewall. This might be the simplest and cheapest option.