| author | msangapu-msft |
|---|---|
| ms.service | azure-app-service |
| ms.topic | include |
| ms.date | 02/09/2026 |
| ms.author | msangapu |
Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage offers highly available, massively scalable, durable, and secure storage for data objects in the cloud. This guide shows how to mount Azure Storage Files as a network share in Windows code (noncontainer) in Azure App Service.
Azure Storage supports Azure Files Shares and Premium Files Shares for App Service. Azure Storage isn't the default storage for App Service. It's billed separately. You can also configure Azure Storage in an ARM template.
The benefits of custom-mounted storage include:
- Configure persistent storage for your App Service app and manage the storage separately.
- Make static content like video and images readily available for your App Service app.
- Write application log files or archive older application logs to Azure File shares.
- Share content across multiple apps or with other Azure services.
The following features are supported for Windows code:
- Secured access to storage accounts with key vault, private endpoints, and service endpoints (when you use virtual network integration).
- Azure Files (read/write).
- Up to five mount points per app.
- Mount Azure Storage file shares using /mounts/<path-name>.
Here are the three options to mount Azure storage to your app:
| Mounting option | Usage |
|---|---|
| Basic | Choose this option when you mount storage by using the Azure portal. You can use the basic option as long as the storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. In this case, the portal gets and stores the access key for you. |
| Access Key | If you plan to mount storage using the Azure CLI, you need to obtain an access key. Choose this option if storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. |
| Key Vault | Also use this option when you plan to mount storage using the Azure CLI, which requires the access key. Choose this option when using Azure Key Vault to securely store and retrieve access keys. Azure Key Vault has the benefits of storing application secrets centrally and securely with the ability to monitor, administer, and integrate with other Azure services like Azure App Service. |
- An existing Windows code app in App Service.
- An Azure file share.
- Files uploaded to the Azure File share.
- An existing Windows code app in App Service.
- An Azure file share.
- Files uploaded to the Azure File share.
- An existing Windows code app in App Service.
- An Azure file share.
- Files uploaded to the Azure File share.
- An Azure Key Vault instance that uses vault access policy and a secret, which is required to configure the Key Vault with Azure Storage.
- Storage firewall is supported only through private endpoints and service endpoints when you use virtual network integration.
- Azure blobs aren't supported when you configure Azure storage mounts for Windows code apps deployed to App Service.
- FTP/FTPS access to mounted storage isn't supported. Use Azure Storage Explorer.
- Mapping /mounts, mounts/name1/name2, /, and /mounts/name.ext/ to custom-mounted storage isn't supported. You can only use /mounts/pathname for mounting custom storage to your web app.
- Storage mounts aren't included in backups. Be sure to follow best practices to back up Azure Storage accounts.
- With virtual network integration on your app, the mounted drive uses an RFC1918 IP address and not an IP address from your virtual network.
No extra steps are required because the portal gets and stores the access key for you.
You need to get the access key from your storage account.
Before you can mount storage by using Key Vault access, you need to get the Key Vault secret and add it as an application setting in your app.
-
In the Azure portal, browse to your Key Vault. Select Objects > Secrets. Copy the Secret Identifier to your clipboard.
:::image type="content" source="../../media/configure-azure-storage/key-vault-secret-identifier.png" alt-text="Screenshot of Key Vault secret identifier.":::
-
Go back to your app, and follow the key vault reference to create an application setting by using the Secret Identifier.
Example app setting value:
@Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/mykeyvaultsecret/aaaaaaaa0b0b1c1c2d2d333333333333)
Now you're ready to use Key Vault to access your storage account.
To mount storage to Windows code by using the Azure portal:
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Basic if the storage account doesn't use private endpoints or Azure Key Vault. Otherwise, select Advanced. Storage accounts Azure Storage account. It must contain an Azure Files share. Share name Files share to mount. Storage access Select Key vault reference for Azure Key Vault. Otherwise, select Manual input. Access key (Advanced only) Access key for your storage account. Mount path Directory inside your app service that you want to mount. Only /mounts/pathname is supported. Application settings Select the app setting with the Azure Key Vault secret. Deployment slot setting When selected, the storage mount settings also apply to deployment slots.
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Advanced. Storage accounts Azure Storage account. Storage type Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. Storage container or Share name Files share or Blobs container to mount. Storage access Select Manual input. Access key Enter the access key for your storage account. Mount path Directory inside the Linux container to mount to Azure Storage. Don't use / or /home. Deployment slot setting When selected, the storage mount settings also apply to deployment slots.
-
In the Azure portal, go to the app.
-
From the left navigation, select Settings > Configuration. Select Path mappings, and then select New Azure Storage Mount.
-
Configure the storage mount according to the following table. When finished, select OK.
Setting Description Name Name of the mount configuration. Don't use spaces. Configuration options Select Basic if the storage account doesn't use service endpoints, private endpoints, or Azure Key Vault. Otherwise, select Advanced. Storage accounts Azure Storage account. Storage type Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. Storage container or Share name Files share or Blobs container to mount. Storage access Select Key vault reference. Application settings Select the existing app setting with the Azure Key Vault secret. Mount path Directory inside the Linux container to mount to Azure Storage. Don't use / or /home. Deployment slot setting When checked, the storage mount settings also apply to deployment slots. -
To access the storage mount, grant your app access to the Key Vault.
Using Azure CLI to mount storage requires you to provide the storage access key.
Use the az webapp config storage-account add command. For example:
az webapp config storage-account add --resource-group <group-name> --name <app-name> --custom-id <custom-id> --storage-type AzureFiles --share-name <share-name> --account-name <storage-account-name> --access-key "<access-key>" --mount-path <mount-path-directory>
Verify your storage is mounted by running the following command:
az webapp config storage-account list --resource-group <resource-group> --name <app-name>
The Azure CLI doesn't currently support mounting storage with Key Vault access. Use the Azure portal instead.
Note
When you add, edit, or delete a storage mount, the app restarts.
-
Azure Storage mounts can be configured as a virtual directory to serve static content. To configure the virtual directory, in the left navigation select Settings > Configuration. Then select Path mappings, then New virtual application or directory. Set the Physical path to the Mount path defined on the Azure Storage mount.
-
To avoid latency issues, place the app and the Azure Storage account in the same region. If you grant access from App Service IP addresses in the Azure Storage firewall configuration when the app and Azure Storage account are in the same region, these IP restrictions aren't honored.
-
In the Azure Storage account, avoid regenerating the access key that you use to mount the storage in the app. The storage account contains two keys. Azure App Services stores an Azure storage account key. Use a stepwise approach to ensure that the storage mount remains available to the app during key regeneration. For example, assuming that you used key1 to configure storage mount in your app:
- Regenerate key2.
- In the storage mount configuration, update the access the key to use the regenerated key2.
- Regenerate key1.
-
If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios.
-
The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the scalability and performance targets for Files.
-
If your app scales to multiple instances, all the instances connect to the same mounted Azure Storage account. To avoid performance bottlenecks and throughput issues, choose the appropriate performance tier for the storage account.
-
We don't recommend that you use storage mounts for local databases, such as SQLite, or for any other applications and components that rely on file handles and locks.
-
If you initiate a storage failover when the storage account is mounted to the app, the mount doesn't connect until the app is restarted or the storage mount is removed and added again.
-
Ensure port 445 is open when using Azure Files with virtual network integration. In addition, ensure app setting,
WEBSITE_CONTENTOVERVNETis set to1. -
The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the scalability and performance targets for Files.
[!div class="nextstepaction"] Migrate .NET apps to Azure App Service