Access file in a storage account residing in different tenant to ML Service in another tenant via IP based SAS restricted access

Himanshu Bajpai 1

Hi,

I have a storage account residing in tenant-A and machine learning service in tenant-B. When I try to read file from storage account in tenant-A via SAS (with IP restriction) in the jupyter notebook running on compute in ML service in tenant-B, it is not accessible and failing with 403 (Forbidden).

But when I try to access the file without IP restriction, I am able to read it in the notebook.
Can you please help in understanding why it is happening and possible fix for the problem?

Please note, the public IP of ML compute is being used for whitelisting in SAS.

1 answer

romungi-MSFT 42,406 Reputation points Microsoft Employee

2022-02-23T13:50:27.507+00:00

@Himanshu Bajpai I think you need to whitelist the IP ranges that fall under BatchNodeManagement.<region> and AzureMachineLearning.<region> from the list of Azure IPs for your region under the respective categories. The list of azure IPs can be downloaded from here.

Depending on your region try whitelisting these IPs instead of the public IP of your compute and check if it works. For more details about setting up inbound and outbound network configuration for Azure ML, please refer this page.

If an answer is helpful, please click on or upvote which might help other community members reading this thread.
Please sign in to rate this answer.
Himanshu Bajpai 1 Reputation point

2022-02-24T05:29:41.187+00:00

Hi @romungi-MSFT ,
Thanks for your answer.
I tried to create SAS URL against the IP addresses provided in the config. But still I am getting 403. PFB the steps :

My ML Service is in West Europe. The IP by host name is as below :

While creating SAS Url, restricted the IPs in range 40.74.24.96-40.74.24.111
SAS Url -

Also, I checked the Inbound/Outbound rules, since without restricting the IP, I am able to read the file, so they should not be blocking the access right?

Let me know if you have any other suggestions.

Thanks!

romungi-MSFT 42,406 Reputation points Microsoft Employee

2022-02-25T07:58:32.653+00:00

@Himanshu Bajpai Are you only trying to restrict the IP on SAS URI generation or have you also restricted the IP range on the storage account to certain networks?
I tried to restrict on the SAS URI but the blob was accessible irrespective of the IP i put in the URI. When I tried restriction on the network settings of the storage account I do encounter 403 error though.

Himanshu Bajpai 1 Reputation point

2022-02-25T08:05:04.783+00:00

@romungi-MSFT , I am trying to restrict the IP on SAS URI generation. For me, when I am generating the SAS with IP it is not working.
As mentioned previously, when I use the storage account within same tenant where Azure ML service resides, on generating the SAS with Compute Public IP, I am able to read the file from the Jupyter notebook running on ML Compute.
But when I try to generate SAS from storage account in different tenant, it does not work.

romungi-MSFT 42,406 Reputation points Microsoft Employee

2022-02-25T13:09:03.85+00:00

@Himanshu Bajpai I created a different storage account on a different tenant and added the IP restriction, the access works from my compute instance and does not from any other source.
So, I couldn't replicate the behavior you are seeing. I believe the access in your case will not work even if you try accessing the file from any other source even if the source is whitelisted. This could mean that there might be some setting that is blocking this. Could you cross check the configuration settings of your storage accounts in both the tenants?

Himanshu Bajpai 1 Reputation point

2022-02-28T06:10:42.43+00:00

@romungi-MSFT ,

Thanks for the inputs. I created a new storage account in one more tenant (calling it tenant3) and tried to access the blob by restricting compute IP in SAS and it is working as you have mentioned.

To understand the reason for 403 in other storage account, I cross checked the network setting of the storage accounts and they seem to be same. Can you please share what other configurations I can check to understand why it is not working for the tenant2?

romungi-MSFT 42,406 Reputation points Microsoft Employee

2022-03-03T06:45:53.307+00:00

@Himanshu Bajpai I think due to the nature of the issue I would recommend to raise a support case in the effected tenant to get the settings reviewed.

Himanshu Bajpai 1 Reputation point

2022-03-03T09:30:04.107+00:00

Okay Thank you!
Sign in to comment