| author | msangapu-msft | ||
|---|---|---|---|
| ms.service | azure-app-service | ||
| ms.topic | include | ||
| ms.date | 02/09/2026 | ||
| ms.author | msangapu | ||
| ms.custom |
|
Note
NFS support is now available for App Service on Linux.
This guide shows how to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage offers highly available, massively scalable, durable, and secure storage for data objects in the cloud. Azure Storage isn't the default storage for App Service. It's billed separately. You can also configure Azure Storage in an ARM template.
The benefits of custom-mounted storage include:
- Configure persistent storage for your App Service app and manage the storage separately.
- Make static content like video and images readily available for your App Service app.
- Write application log files or archive older application log to Azure File shares.
- Share content across multiple apps or with other Azure services.
- Supports Azure Files NFS and Azure Files SMB.
- Supports Azure Blobs (read-only).
- Supports up to five mount points per app.
The limitations of custom-mounted storage include:
- Storage firewall is supported only through service endpoints and private endpoints when you use virtual network integration.
- FTP/FTPS access to custom-mounted storage isn't supported. Use Azure Storage Explorer.
- Storage account shared access keys are the only means of authentication that are supported. Entra ID and RBAC Roles aren't supported.
- Azure CLI, Azure PowerShell, and Azure SDK support is in preview.
- Mapping / or /home to custom-mounted storage isn't supported.
- Don't map the storage mount to /tmp or its subdirectories. This action can cause a time-out during app startup.
- Azure Storage isn't supported with Docker Compose scenarios.
- Storage mounts aren't included in backups. Be sure to follow best practices to back up the Azure Storage accounts.
- NFS support is only available for App Service on Linux. NFS isn't supported for Windows code and Windows containers. The web app and storage account need to be configured on the same virtual network for NFS. The storage account used for file share should have Premium performance tier and File storage as the Account Kind. Azure Key Vault isn't applicable when using the NFS protocol.
- With virtual network integration on your app, the mounted drive uses an RFC1918 IP address and not an IP address from your virtual network.
You need to mount the storage to the app. Here are three mounting options for Azure storage:
| Mounting option | Usage |
|---|---|
| Basic | Choose this option to mount storage using the Azure portal. You can use the basic option as long as the storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. In this case, the portal gets and stores the access key for you. |
| Access Key | If you plan to mount storage by using the Azure CLI, you need to get an access key. Choose this option if the storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. |
| Key Vault | Also use this option when you plan to mount storage by using the Azure CLI, which requires the access key. Choose this option when you use Azure Key Vault to securely store and retrieve access keys. Azure Key Vault has the benefits of storing application secrets centrally and securely with the ability to monitor, administer, and integrate with other Azure services like Azure App Service. |
- An existing App Service on Linux app.
- An Azure Storage account.
- An Azure file share and directory.
- An existing App Service on Linux app.
- An Azure Storage account.
- An Azure file share and directory.
- An existing App Service on Linux app.
- An Azure Storage account.
- An Azure file share and directory.
- An Azure Key Vault instance that uses vault access policy and a secret, which is required to configure the Key Vault with Azure Storage.
No extra steps are required because the portal gets and stores the access key for you.
You need to get the access key from your storage account.
Before you can mount storage by using Key Vault access, you need to get the Key Vault secret and add it as an application setting in your app.
-
In the Azure portal, browse to your Key Vault. Select Objects > Secrets. Copy the Secret Identifier to your clipboard.
:::image type="content" source="../../media/configure-azure-storage/key-vault-secret-identifier.png" alt-text="Screenshot of Key Vault secret identifier.":::
-
Back in your app, follow the key vault reference to create an application setting by using the Secret Identifier.
Example app setting value:
@Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/mykeyvaultsecret/aaaaaaaa0b0b1c1c2d2d333333333333)
Now you're ready to use Key Vault to access your storage account.
The way that you mount storage depends on your storage access option and whether you use the portal or the Azure CLI.
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Basic if the storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. Otherwise, select Advanced. Storage accounts Azure Storage account. Storage type Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. Storage container or Share name Files share or Blobs container to mount. Mount path Directory inside the Linux container to mount to Azure Storage. Don't use / or /home. Deployment slot setting When checked, the storage mount settings also apply to deployment slots.
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Advanced. Storage accounts Azure Storage account. Storage type Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. Storage container or Share name Files share or Blobs container to mount. Storage access Select Manual input. Access key Enter the access key for your storage account. Mount path Directory inside the Linux container to mount to Azure Storage. Don't use / or /home. Deployment slot setting When selected, the storage mount settings also apply to deployment slots.
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Advanced. Storage accounts Azure Storage account. Storage type Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. Storage container or Share name Files share or Blobs container to mount. Storage access Select Key vault reference. Application settings Select the existing app setting that's configured with the Azure Key Vault secret. Mount path Directory inside the Linux container to mount to Azure Storage. Don't use / or /home. Deployment slot setting When selected, the storage mount settings also apply to deployment slots. -
To access the storage mount, grant your app access to the Key Vault.
To use Azure CLI to mount storage, you need to provide the storage access key.
Use the az webapp config storage-account add command. For example:
az webapp config storage-account add --resource-group <group-name> --name <app-name> --custom-id <custom-id> --storage-type AzureFiles --share-name <share-name> --account-name <storage-account-name> --access-key "<access-key>" --mount-path <mount-path-directory>
--storage-typecan beAzureBloborAzureFiles.AzureBlobis read-only.--mount-pathis the directory inside the Linux container to mount to Azure Storage. Don't use /, the root directory.
Verify your storage is mounted by running the following command:
az webapp config storage-account list --resource-group <resource-group> --name <app-name>
The Azure CLI doesn't currently support mounting storage with Key Vault access. Use the portal instead.
Note
Adding, editing, or deleting a storage mount restarts the app.
To validate that Azure Storage is mounted successfully for the app:
-
Open an SSH session into the container.
-
In the SSH terminal, execute the following command:
df –h
-
Check if the storage share is mounted. If it's not present, there's an issue with mounting the storage share.
-
Check latency or general reachability of the storage mount by using the following command:
tcpping Storageaccount.file.core.windows.net
Azure App Service includes a built‑in health‑check mechanism to ensure that mounted Azure Storage volumes (Azure Files or Azure Blob) remain accessible and responsive. This system helps prevent application hangs caused by stale or disconnected storage mounts.
-
Periodic I/O test
App Service periodically performs file I/O on a marker file named__lastCheckTime.txt.- Location: A
LogFilessubdirectory under the mounted path (for example,/mount/path/LogFiles/__lastCheckTime.txt). - Behavior:
- A read operation is attempted on this file.
- The file doesn't need to exist – "file not found" is treated as a successful check.
- Location: A
-
Frequency
The check runs every 5 seconds by default. -
Failure handling
- Each failed or timed‑out check increments a failed ping counter.
- When failures exceed the configured threshold:
- Azure Files: 18 failed pings
- Azure Blob: 15 failed pings
- The mount is marked Faulted, and App Service automatically restarts the app to restore connectivity to the share.
You can customize health‑check behavior by using the following app settings.
| Storage type | Setting name | Default value | Description |
|---|---|---|---|
| Azure Files | WEBSITE_BYOS_FILES_HEALTH_CHECK_FREQUENCY |
5 |
Interval in seconds between health checks. |
| Azure Files | WEBSITE_BYOS_FILES_MAX_FAILED_PINGS |
18 |
Number of consecutive failures before marking the volume as faulted. |
| Azure Files | WEBSITE_BYOS_FILES_AUTO_RECOVERY_ENABLED |
true |
Set to false to disable auto‑recovery logic. |
| Azure Blob | WEBSITE_BYOS_BLOB_HEALTH_CHECK_FREQUENCY |
5 |
Interval in seconds between health checks. |
| Azure Blob | WEBSITE_BYOS_BLOB_MAX_FAILED_PINGS |
15 |
Number of consecutive failures before marking the volume as faulted. |
| Azure Blob | WEBSITE_BYOS_BLOB_AUTO_RECOVERY_ENABLED |
true |
Set to false to disable auto‑recovery logic. |
| Azure Blob | WEBSITE_BYOS_BLOB_DIRECT_IO |
false |
If enabled, all transactions will query the remote storage directly and caching will be bypassed. This setting is applied at the application level and therefore affects all blob shares mounted by the application. |
- Auto‑recovery helps prevent long‑running application hangs caused by unresponsive storage paths.
- Don't disable auto‑recovery unless you're troubleshooting specific mount behavior.
-
To avoid latency problems, place the app and the Azure Storage account in the same region. If you grant access from App Service IP addresses in the Azure Storage firewall configuration when the app and Azure Storage account are in the same region, these IP restrictions aren't honored.
-
The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the scalability and performance targets that correspond to the storage type: Files and Blobs.
-
If your app scales to multiple instances, all the instances connect to the same mounted Azure Storage account. To avoid performance bottlenecks and throughput problems, choose the appropriate performance tier for the storage account.
-
In the Azure Storage account, avoid regenerating the access key that you use to mount the storage in the app. The storage account contains two keys. Azure App Services stores an Azure storage account key. Use a stepwise approach to ensure that the storage mount remains available to the app during key regeneration. For example, assuming that you used key1 to configure storage mount in your app:
- Regenerate key2.
- In the storage mount configuration, update the access the key to use the regenerated key2.
- Regenerate key1.
- If you need to use a real time file system, where you expect changes to alter, add, or remove files quickly, use Azure Files as the storage type when you mount storage. When files are static and you don't expect them to change, use Azure Blob.
- The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted, if you specify a directory under /home, for example. If you migrate files for an existing app, make a backup of the app and its content before you begin.
- When mounting an NFS share, you need to ensure that Secure Transfer Required is disabled on the storage account. App Service doesn't support mounting NFS shares when this setting is enabled. It uses port 2049 and virtual network integration and private endpoints as the security measure.
- If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios.
- Don't use storage mounts for local databases, such as SQLite, or for any other applications and components that rely on file handles and locks.
- Ensure the following ports are open when using virtual network integration: Azure Files: 80 and 445. Azure Blobs: 80 and 443.
- If you initiate a storage failover when the storage account is mounted to the app, the mount doesn't connect until the app is restarted or the storage mount is removed and added again.