AI Search indexer fails when both AI Search and Blob Storage have network restrictions - need PC/client IP configuration?

Question

AI Search indexer fails when both AI Search and Blob Storage have network restrictions - need PC/client IP configuration?

Su Myat Hlaing 200

Hi,

I have both Azure AI Search and Blob Storage configured with "Selected networks" (restricted access). When I run my AI Search indexer from my PC, I get a connection error to the blob storage.

Current setup:

AI Search: Network restricted to selected IPs
Blob Storage: Network restricted to selected IPs
Running indexer trigger from my PC

Error:

Error message
Credentials provided in the connection string are invalid or have expired. For more information on troubleshooting connection issues to Azure Storage accounts, please see https://go.microsoft.com/fwlink/?linkid=2049388

Additional context: The indexer works fine when I set Blob Storage to "All networks", confirming the credentials are correct.

Question: In my Blob Storage network settings, what IP addresses do I need to whitelist to allow the AI Search indexer to run successfully?

Su Myat Hlaing 200 Reputation points

2025-08-08T02:25:26.33+00:00
I was able to resolve this issue and wanted to share the solution.

What I did:

Enabled System-assigned Managed Identity on my AI Search service

Added my AI Search service to the Blob Storage network "Resource instances" allowlist

Granted "Storage Blob Data Reader" role to the AI Search service on the storage account

Updated my data source to use Managed Identity authentication instead of connection string

Result: The indexer now works with network restrictions enabled on both services.

Question : Is using Managed Identity the right/recommended approach for this scenario?

1 answer

Your answer

Su Myat Hlaing 200 Reputation points

2025-08-08T02:25:26.33+00:00

I was able to resolve this issue and wanted to share the solution.

What I did:

Enabled System-assigned Managed Identity on my AI Search service

Added my AI Search service to the Blob Storage network "Resource instances" allowlist

Granted "Storage Blob Data Reader" role to the AI Search service on the storage account

Updated my data source to use Managed Identity authentication instead of connection string

Result: The indexer now works with network restrictions enabled on both services.

Question : Is using Managed Identity the right/recommended approach for this scenario?

Answer 1

Hii Su Myat Hlaing, Yes, using Managed Identity is the recommended and secure approach for your scenario where both Azure Cognitive Search and Azure Blob Storage are restricted to Selected Networks.

Why Managed Identity Is the Right Approach

Secure Authentication
- Managed Identity eliminates the need to store and manage credentials like connection strings or keys.
- You don’t expose secrets that could be leaked or compromised.
Network Compatibility
- By allowing resource access via "Resource instances" in your Blob Storage network settings, you bypass the need for public IP whitelisting.
- This makes your setup more secure and cloud-native.
Granular Access Control
- You can assign only the necessary role (e.g., Storage Blob Data Reader) to the AI Search service.
- This follows the principle of least privilege.
Scalability and Maintenance
- No need to manage IP addresses (which can change).

Works seamlessly across environments (e.g., dev/test/prod).

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Vishvani

Share via

AI Search indexer fails when both AI Search and Blob Storage have network restrictions - need PC/client IP configuration?

1 answer

Your answer