[QUESTION] STATv2 preview without public storage account

[codeX004]

Hello there, I was just looking into the STAT v2 preview version and really like the possibility to run the playbooks with a user-assigned managed identity and with the use of a function app instead of multiple playbooks compared to version 1.

In a more restrictive environment, we have Azure policies in place that do not allow the provisioning of pubic facing storage accounts, whereby I was not sure if there would be a possibility to restrict the access to the storage account. I assume, that the storage account will be accessed by the function app but unfortunately I can't add the function app as allowed Azure resource for accessing the storage account. Even though if I would add the public facing IP-addresses of the function app to the storage account, I still get an 403 while accessing the blob storage content, even though my playbook that relies on STATV2 still works as expected and is able to fetch the data regarding watchlist, TI etc. That leads me to the following questions:

• Is there any possibility to restrict the storage account to certain resources / IP-addresses instead of allowing public access?
• Which resources must access the storage blob content, is it only the function app?
• Would it possible to provide a more details about the need of the storage account overall? I saw the containers azure-webjob-hosts and azure-webjob-secrets, but I'm still a bit confused for which use case the storage account is needed?

Thank you very much for the clarifications.

[briandelmsft]

Hi @codeX004,

The only documented way I have found to secure a storage account for Azure functions involves using a Premium Function Plan and VNet Integration. This documentation can be found here.

This discussion thread seems to indicate a function may continue to operate without a storage account under some circumstances , one of those being an http trigger (which STAT v2 uses). However, I don't see any official documentation indicating that it is supported. I would certainly think you would want to at least open up the outbound IPs of the function app to the storage account but can't make any guarantees there won't be an undesirable side effect.

What I can say for certain is at this time there is no STAT code that makes use of the storage account, so if the function itself isn't impacted, STAT will not be. I say at this time because we may at some point in the future make use of the storage account, but there is nothing at this time, or in the short term that will be put there.