How to whitelist Power Pages API on an Azure Storage Account

(1) Share

Report

Posted on by Dru0056

I followed this article to setup file download/upload to an Azure storage account.

In addition to limiting the permissions on the storage account to the service principal of our power pages site, my company requires that our storage accounts be network restricted.

I was able to get the sample code working with my storage account being open to all networks, but I've been trying to figure out the best way to restrict it. Its my understanding that the file upload works by having the client side script call the power pages API, which in turn passes the file stream along to the storage account. This means that my users don't need network access to the storage account, but the power pages API does.

I haven't found much information on this so far, the best I've been able to come up with is to check the "Enable from selected virtual networks and IP addresses" setting under "Networking" on the storage account, then I provided the IP of the power pages API. I got the IP by digging it out of the storage account's logs, and later found that it is included in the IP ranges listed my Microsoft's "Azure IP Ranges and Service Tags" page. That list has dozens of IP ranges for my region, I'm assuming I'd have to whitelist them all.

Download Azure IP Ranges and Service Tags – Public Cloud from Official M...

Azure IP Ranges and Service Tags – Public Cloud

I'm wondering if anyone has a better solution to allow the power pages API to reach a storage account that is not open to all networks.

Categories:

General topics

I have the same question (0)

All responses (4)

Answers (0)

Suggested answer

Jerald Felix 348 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!
Hello Dru0056!

To whitelist Power Pages API on an Azure Storage Account with network restrictions, here are recommended best practices:

Azure Storage supports configuring network rules under the Networking settings on the storage account. You can restrict access by enabling "Selected networks" and adding allowed virtual networks, IP address ranges, or specific Azure resource instances.

Since Power Pages API calls the storage on behalf of users, your users do not require direct network access to the storage account. Instead, the Power Pages API and its backend service need access.

The best approach is to add Microsoft service tags related to Power Platform and Azure services to your storage account's firewall rules. Microsoft publishes IP ranges and service tags, such as PowerPlatform, AzureCloud, or Storage, which can be used to allow traffic from all Azure-related IPs dynamically, avoiding manual whitelisting of dozens of IP addresses.

You can find the latest IP ranges and service tags for your Azure region on the Azure IP Ranges and Service Tags page and use service tags in your storage account firewall settings where possible.

If needed, identify the exact IP ranges from your storage logs or request network traces and then add those IP ranges as IP network rules, but this is less maintainable than using service tags.

Another option is deploying your Power Pages backend or API inside an Azure Virtual Network and granting that VNet access to the storage through Virtual Network rules.

Lastly, ensure your Power Pages site's service principal or managed identity has the required role permissions (e.g., Storage Blob Data Contributor) for authorization.

This approach secures your storage account while allowing Power Pages API access without opening access to all networks.

Best regards,
Jerald Felix

Was this reply helpful? Yes No
Anjan on at

Like (0)

Report
Copy link

Link copied!

@Jerald Felix, From the Microsoft Azure IP Addresses range file (attached the json file from Microsoft), I have added the ip addresses (both together count of IP's are 94) of "PowerPlatformInfra.AustraliaSoutheast" and "PowerPlatformInfra.AustraliaEast" to the Storage Account's "IPv4 Addresses" section. It was painful to add each IP address though. Still I am getting IP address error on my Power Pages site's page. Here is the error.

My Power Pages site and Storage Account are in Australia Region.

What other IPs, I am missing here.

Regards

Anjan

ServiceTags_Publi...
Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Was this reply helpful? Yes No
Anjan on at

Like (0)

Report
Copy link

Link copied!

@Dru0056, are you able to implement the enabling IP Address on storage account? Please share the process and the list of IPs which were added.

Thanks

Was this reply helpful? Yes No
Anjan on at

Like (0)

Report
Copy link

Link copied!

@Jerald Felix, From the Microsoft Azure IP Addresses range file (the json file from Microsoft), I have added the ip addresses (both together count of IP's are 94) of "PowerPlatformInfra.AustraliaSoutheast" and "PowerPlatformInfra.AustraliaEast" to the Storage Account's "IPv4 Addresses" section. It was painful to add each IP address though. Still I am getting IP address error on my Power Pages site's page. Here is the error.

My Power Pages site and Storage Account are in Australia Region.

What other IPs, I am missing here.

Regards

Anjan

Was this reply helpful? Yes No