Private endpoint in hub-and-spoke architecture (Try to access a storage account in my different vnets)

Mhajji 1 Reputation point
2022-02-10T16:07:53.567+00:00

Hello,

I'm trying to register a dataset in my different Azure Machine Learning workspaces (of each vnet spoke) but for that I need to connect from my ML workspaces to my storage account (dev or prod) located in the vnet 'spoke-pdata'. (screenshot)

The datastore (refer to storage account) is already register with Access key.
I have already checked:

  • peering between my hub and my different spoke
  • private dns zone (privatelink.blob.core.windows.net) in my hub vnet with record set for storage
  • all virtual network links between hub and each spoke (privatelink blob)
  • private dns zone (privatelink.api.azureml.ms) in my hub vnet with record set for each azure machine learning
  • all virtual network links between hub and each spoke (privatelink azureml)
  • storage account roles for each azure ML
  • contributor role for each azure ml in storage account (to be sure it's not role issue)
  • NSG off for storage account

When I set ''All network'' in network of my storage account, Azure ML is connected to my storage account and I can register my dataset... So it's a network issue.
I tried nslookup in AML and I can get the private ip of my storage account:
173224-unknown.png

What did I forget? Maybe I misunderstood the concept of private endpoint... From my point of view, I just need a private endpoint connected to a private dns. And in case there are two different vnet, I need to connect them with a private link and a vnet peering.
I read the documentation but did not find a similar case... I am still confused.

Error:
*

ScriptExecutionException was caused by StreamAccessException.
StreamAccessException was caused by AuthenticationException.
Authentication failed for 'AzureBlob GetReference' operation at '[REDACTED]' with '403: AuthorizationFailure'. Please make sure the SAS token or the account key is correct.
Failed due to inner exception of type: StorageException

173262-effij.png

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,552 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
593 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,668 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. YutongTie-MSFT 46,081 Reputation points
    2022-02-11T03:19:40.743+00:00

    Hello @Mhajji

    Thanks for reaching out to us, one of the possible reason for this issue may be firewall is not enabled.

    Could you please validate if your storage account is firewall enabled ?

    Please follow this steps to do so:
    Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks)
    If it is "Selected Networks" - It means the storage account is firewall enabled.

    If the storage account is firewall enabled , check your CORS is setting correctly as below:

    173412-cors.jpg

    For me, I am using Allowed origins as below:
    https://mlworkspace.azure.ai,https://ml.azure.com,https://*.ml.azure.com,https://mlworkspacecanary.azure.ai,https://mlworkspace.azureml-test.net

    Let us know if the above steps helps out in resolving the issue , please don't forget to Upvote and Accept the Answer

    Regards,
    Yutong

    1 person found this answer helpful.