diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.API/appsettings.json b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.API/appsettings.json
index 0ab32ee62..0d3d5c841 100644
--- a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.API/appsettings.json
+++ b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.API/appsettings.json
@@ -7,8 +7,9 @@
 		"ApiKeys": "app-key"
 	},
 	"ConnectionStrings": {
-		"DefaultConnection": "insert-connection-string"
-	}, 
+		"DefaultConnection": "insert-connection-string",
+		"BlobStorage": "insert-connection-string"
+	},
 	"GovNotify" : {
 		"ApiKey": "",
 		"TemplateId" : ""
diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json
index 10fd1d7e1..4a277e8f1 100644
--- a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json
+++ b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json
@@ -15,26 +15,26 @@
       }
    },
    "AllowedHosts": "*",
-  "GoogleAnalytics": {
-    "Enable": "No"
-  },
-  "Mfsp": {
-    "ApiEndpoint": "<insert api endpoint>"
-  },
+   "GoogleAnalytics": {
+      "Enable": "No"
+   },
+   "Mfsp": {
+      "ApiEndpoint": "<insert api endpoint>"
+   },
    "TramsApi": {
       "ApiKey": "",
       "Endpoint": ""
    },
-  "AzureAd": {
-    "Instance": "https://login.microsoftonline.com",
-    "Domain": "Educationgovuk.onmicrosoft.com",
-    "CallbackPath": "/signin-oidc",
-    "ClientId": "insert-client-id",
-    "TenantId": "insert-tenant-id",
-    "ClientSecret": "insert-client-secret",
-    "GroupId": "insert-group-id",
-    "AllowedRoles": "user"
-  },
+   "AzureAd": {
+      "Instance": "https://login.microsoftonline.com",
+      "Domain": "Educationgovuk.onmicrosoft.com",
+      "CallbackPath": "/signin-oidc",
+      "ClientId": "insert-client-id",
+      "TenantId": "insert-tenant-id",
+      "ClientSecret": "insert-client-secret",
+      "GroupId": "insert-group-id",
+      "AllowedRoles": "user"
+   },
    "CypressTestSecret": "secret",
    "ServiceLink": {
       "TransfersUrl": ""
@@ -43,5 +43,8 @@
    "FeatureManagement": {
       "UseAcademisation": true,
       "UseAcademisationApplication": false
+   },
+   "ConnectionStrings": {
+      "BlobStorage": ""
    }
 }
diff --git a/terraform/README.md b/terraform/README.md
index 06fede547..10e294493 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -168,6 +168,7 @@ No resources.
 | <a name="input_dns_txt_records"></a> [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | <pre>map(<br>    object({<br>      ttl : optional(number, 300),<br>      records : list(string)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_dns_zone_domain_name"></a> [dns\_zone\_domain\_name](#input\_dns\_zone\_domain\_name) | DNS zone domain name. If created, records will automatically be created to point to the CDN. | `string` | n/a | yes |
 | <a name="input_enable_cdn_frontdoor"></a> [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin. | `bool` | n/a | yes |
+| <a name="input_enable_container_app_blob_storage"></a> [enable\_container\_app\_blob\_storage](#input\_enable\_container\_app\_blob\_storage) | Create an Azure Storage Account and Storage Container to be accessed by the Container App | `bool` | n/a | yes |
 | <a name="input_enable_container_health_probe"></a> [enable\_container\_health\_probe](#input\_enable\_container\_health\_probe) | Enable liveness probes for the Container | `bool` | `true` | no |
 | <a name="input_enable_container_registry"></a> [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes |
 | <a name="input_enable_dns_zone"></a> [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes |
@@ -198,6 +199,8 @@ No resources.
 | <a name="input_statuscake_contact_group_integrations"></a> [statuscake\_contact\_group\_integrations](#input\_statuscake\_contact\_group\_integrations) | List of Integration IDs to connect to your Contact Group | `list(string)` | `[]` | no |
 | <a name="input_statuscake_contact_group_name"></a> [statuscake\_contact\_group\_name](#input\_statuscake\_contact\_group\_name) | Name of the contact group in StatusCake | `string` | `""` | no |
 | <a name="input_statuscake_monitored_resource_addresses"></a> [statuscake\_monitored\_resource\_addresses](#input\_statuscake\_monitored\_resource\_addresses) | The URLs to perform TLS checks on | `list(string)` | `[]` | no |
+| <a name="input_storage_account_ipv4_allow_list"></a> [storage\_account\_ipv4\_allow\_list](#input\_storage\_account\_ipv4\_allow\_list) | A list of public IPv4 address to grant access to the Blob Storage Account | `list(string)` | n/a | yes |
+| <a name="input_storage_account_public_access_enabled"></a> [storage\_account\_public\_access\_enabled](#input\_storage\_account\_public\_access\_enabled) | Should the Azure Storage Account have Public visibility? | `bool` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to all resources | `map(string)` | n/a | yes |
 | <a name="input_tfvars_filename"></a> [tfvars\_filename](#input\_tfvars\_filename) | tfvars filename. This ensures that tfvars are kept up to date in Key Vault. | `string` | n/a | yes |
 | <a name="input_virtual_network_address_space"></a> [virtual\_network\_address\_space](#input\_virtual\_network\_address\_space) | Virtual network address space CIDR | `string` | n/a | yes |
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
index c5c182a65..74682d335 100644
--- a/terraform/container-apps-hosting.tf
+++ b/terraform/container-apps-hosting.tf
@@ -51,6 +51,10 @@ module "azure_container_apps_hosting" {
   enable_container_health_probe       = local.enable_container_health_probe
   cdn_frontdoor_health_probe_protocol = local.cdn_frontdoor_health_probe_protocol
 
+  enable_container_app_blob_storage     = local.enable_container_app_blob_storage
+  storage_account_ipv4_allow_list       = local.storage_account_ipv4_allow_list
+  storage_account_public_access_enabled = local.storage_account_public_access_enabled
+
   existing_logic_app_workflow                  = local.existing_logic_app_workflow
   existing_network_watcher_name                = local.existing_network_watcher_name
   existing_network_watcher_resource_group_name = local.existing_network_watcher_resource_group_name
diff --git a/terraform/locals.tf b/terraform/locals.tf
index 8336e9d96..633345bf6 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -51,4 +51,7 @@ locals {
   statuscake_contact_group_name                   = var.statuscake_contact_group_name
   statuscake_contact_group_integrations           = var.statuscake_contact_group_integrations
   statuscake_contact_group_email_addresses        = var.statuscake_contact_group_email_addresses
+  enable_container_app_blob_storage               = var.enable_container_app_blob_storage
+  storage_account_ipv4_allow_list                 = var.storage_account_ipv4_allow_list
+  storage_account_public_access_enabled           = var.storage_account_public_access_enabled
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 97ae8f153..ea878661d 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -344,3 +344,18 @@ variable "statuscake_contact_group_email_addresses" {
   type        = list(string)
   default     = []
 }
+
+variable "enable_container_app_blob_storage" {
+  description = "Create an Azure Storage Account and Storage Container to be accessed by the Container App"
+  type        = bool
+}
+
+variable "storage_account_ipv4_allow_list" {
+  description = "A list of public IPv4 address to grant access to the Blob Storage Account"
+  type        = list(string)
+}
+
+variable "storage_account_public_access_enabled" {
+  description = "Should the Azure Storage Account have Public visibility?"
+  type        = bool
+}