Health Probe Configuration for Azure Storage Account Behind Azure Application Gateway

Question

Health Probe Configuration for Azure Storage Account Behind Azure Application Gateway

Wicki, Sandro 25

In a scenario where Azure Storage Accounts are behind an Azure Application Gateway with WAFv2, the public network access of the storage account is disabled, and it has a private endpoint. Anonymous access and SAS tokens are also disabled on the storage account.

What options are available in the Azure Application Gateway to configure a Health Probe for Azure Storage Accounts that returns a proper HTTP 2xx response code in this setup?

Alex Burlachenko 4,310 Reputation points

2025-03-27T18:15:59.5666667+00:00

So, thanks, that confirm I was right... thx. Rgds, Alex
Wicki, Sandro 25 Reputation points

2025-03-28T13:46:49.3466667+00:00

Hello

Thanks for your response. The first option is what I am looking for but when setting up the health probe the request still fails. In the blob storage logs i see the following requests:

In the storage account i assigned the "Reader" role to the app gateway identity.

Is there another settings which needs to be set to enable authentication?
Ganesh Patapati 5,440 Reputation points Microsoft External Staff

2025-03-31T14:02:44.6533333+00:00
Hello Wicki, Sandro

Thanks for the reply!

If your Azure Storage Account has anonymous access disabled and uses a private endpoint, Application Gateway’s default health probes will fail with a 409 (AuthorizationFailure) because the probes don’t include Authorization headers. You can try to configure the custom header 'Authorization: SharedAccessSignature sv=2020-08-04&ss=...&sig=... (your SAS token)'.

Refer: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#about-anonymous-read-access

Meantime another approach to achieve this we have tested it in our lab, and it is working fine.

Ensure that your Azure Blob Storage container is configured for anonymous access at blob level or container level.

In the Azure Portal:

Go to your storage account → Blob Service → Containers.

Select the container you want to make anonymous and click Change access level.

Set the Public access level to Blob (anonymous read access for blobs only) or Container (anonymous read access for container and its blobs), based on your needs.

If above is unclear and/or you are unsure about something add a comment below.
Ganesh Patapati 5,440 Reputation points Microsoft External Staff

2025-04-01T10:51:14.3166667+00:00

Hello Wicki, Sandro

If above is unclear and/or you are unsure about something add a comment below.

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Accepted answer

1 additional answer

Your answer

Alex Burlachenko 4,310 Reputation points

2025-03-27T18:15:59.5666667+00:00

So, thanks, that confirm I was right... thx. Rgds, Alex
Wicki, Sandro 25 Reputation points

2025-03-28T13:46:49.3466667+00:00

Hello

Thanks for your response. The first option is what I am looking for but when setting up the health probe the request still fails. In the blob storage logs i see the following requests:

In the storage account i assigned the "Reader" role to the app gateway identity.

Is there another settings which needs to be set to enable authentication?
Ganesh Patapati 5,440 Reputation points Microsoft External Staff

2025-03-31T14:02:44.6533333+00:00

Hello Wicki, Sandro

Thanks for the reply!

If your Azure Storage Account has anonymous access disabled and uses a private endpoint, Application Gateway’s default health probes will fail with a 409 (AuthorizationFailure) because the probes don’t include Authorization headers. You can try to configure the custom header 'Authorization: SharedAccessSignature sv=2020-08-04&ss=...&sig=... (your SAS token)'.

Refer: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#about-anonymous-read-access

Meantime another approach to achieve this we have tested it in our lab, and it is working fine.

Ensure that your Azure Blob Storage container is configured for anonymous access at blob level or container level.

In the Azure Portal:

Go to your storage account → Blob Service → Containers.

Select the container you want to make anonymous and click Change access level.

Set the Public access level to Blob (anonymous read access for blobs only) or Container (anonymous read access for container and its blobs), based on your needs.

If above is unclear and/or you are unsure about something add a comment below.
Ganesh Patapati 5,440 Reputation points Microsoft External Staff

2025-04-01T10:51:14.3166667+00:00

Hello Wicki, Sandro

If above is unclear and/or you are unsure about something add a comment below.

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hi Wicki,

Nice question! And thx for asking it here at Q&A portal.

So, in general u have two main options to configure a working health probe in Application Gateway

First one is authenticated probe to blob service root (/)

The storage account returns 200 OK on GET / if reachable. Authentication required to use managed identity (best one) or a storage key.

As well you should enable system-assigned managed identity on the App Gateway. Grant it the "Storage Blob Data Reader" role on the storage account.

Configure the probe with

Host: [storage-name].blob.core.windows.net
Path: /
Custom Hostname: Enabled

Second way is static website endpoint (if its enabled of coz) it is more simple but less secure (depends of what u would like :). If static websites are enabled, /$web/index.html can return 200 OK without auth (if network-restricted). Requires enabling static websites thas may not fit all scenarios.

Below links to some sutiable docs which is allow to clear understanding issue

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

Wicki, Sandro 25 Reputation points

2025-04-22T13:28:01.7666667+00:00

Accepted as answer as the seconding option worked, but the first one didn't.

Answer 2

Ganesh Patapati 5,440 Microsoft External Staff

Hello Wicki, Sandro

In addition to the above Alex Burlachenko response, I have recreated the scenario in my lab and observed 200 OK responses from the backend storage account with the private link enabled and public access, Anonymous access and SAS token disabled.

For the private connectivity test for the storage account, we created a test VM on the same storage account and app gateway VNet, and it is resolving to a private IP.

User's image

Application gateway 200 Ok received

User's image

Please do consider to “up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-28T10:29:39.9633333+00:00

Hello Wicki, SandroFollowing up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know

Please do consider to “up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

Share via

Health Probe Configuration for Azure Storage Account Behind Azure Application Gateway

1 additional answer

Your answer