How to connect to Azure Files storage account using Private Endpoint and Azure VPN

Question

Hi all,

I have an Azure Storage Account File share setup with the following options:

• On-prem AD Access, the storage account is joined to the on-prem domain, and a security group is assigned to access via IAM blade
• a VNG is setup with Azure VPN to bring clients that are external to the Azure network
• A private endpoint is assigned to the Storage Account, in the hope that I can use this connection with Azure VPN to access the resources via IP / PrivateLink.

The issue I have is that I can only connect to the resource Publicly (I have a few subset of IPs allowed) and while in contact with the Domain Controller, due to AD granted ACLs

How can I connect to this storage account using Azure VPN? I cannot ping the Private Endpoint, and resolving PrivateLink gives the public address.

Thanks

P

Answer 1

Hello PC,

Greetings! Welcome to Microsoft Q&A Platform.

To connect to your Azure Storage Account File share using Azure VPN, you can use a point-to-site (P2S) VPN connection to mount your Azure file shares over SMB from outside of Azure, without opening up port 445. A point-to-site VPN connection is a VPN connection between Azure and an individual client. To use a P2S VPN connection with Azure Files, you must configure a VPN connection for each client that wants to connect. If you have many clients that need to connect to your Azure file shares from your on-premises network, you can use a site-to-site (S2S) VPN connection instead of a point-to-site connection for each client.

By default, the Azure File Share is still accessible via its public IP address. To prevent access from the internet to the file share's public address you have to add storage firewall/network security rule settings to the share, which limits the networks from which access is permitted.

After restricting access from all networks (including the internet) you then have to explicitly allow access to the storage resource from subnets within your VNET or from listed public IP addresses.

P2S VPN clients are assigned addresses within a leasepool subnet range defined when you create the virtual network gateway. This subnet does not have a subnet ID - it is separate to VNET subnets

example - Azure P2S VPN is part of VNET-A which is peered to VNET-B. The Storage account has a private endpoint for each of Blob and File storage, the ip addresses of which are part of a subnet in VNET-B. Network Access is enabled for all the subnets in only VNET-A and VNET-B.

to create a file share and access it from the desktop, you need to create and configure a Private End Point under the subnet you have the storage account exists. Go to 'Private Endpoint Connection' under settings of storage account in azure portal,

Next create it as shown in the below figure. Remember to select the options as shown:

Follow the steps and select the subnet created in earlier steps. Once the creation is completed, note the Network interface IP address from the summary page. This the IP address which you can connect through your P2S network

When you map the drive, use the folder format as \Private IP Address\Filesharename Note: Here you need to use the file share name instead of storage account name

refer - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows?tabs=azure-portal, https://medium.com/@danieluqpierce/how-to-access-azure-file-share-over-vpn-0db78ed482e7

Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/741817/connect-on-prem-to-azure-files

Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@PC Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

It seems like you are trying to connect to your Azure Storage Account File share using Azure VPN, but you are facing some issues with the private endpoint. Let me help you with that.

Firstly, I would like to confirm if you have followed the steps mentioned in the document "Configure a Point-to-Site (P2S) VPN on Linux or Windows for use with Azure Files" to configure the P2S VPN connection on your Linux machine. If not, I would recommend you to follow the steps mentioned in the document to configure the P2S VPN connection.

Once you have configured the P2S VPN connection, you can try to connect to your Azure Storage Account File share using the private endpoint. To do that, you need to make sure that your DNS resolution is set up correctly. You can check the DNS resolution by running the following command on your Linux machine:

nslookup <your-storage-account-name>.file.core.windows.net

This command should return the private IP address of your storage account if the DNS resolution is set up correctly. If it returns the public IP address, then you need to check your DNS configuration.

If the DNS resolution is set up correctly, you can try to connect to your Azure Storage Account File share using the private IP address of your storage account. To do that, you need to mount the file share using the following command:

sudo mount -t cifs //<your-storage-account-name>.file.core.windows.net/<your-file-share-name> /mnt/<your-mount-point> -o vers=3.0,username=<your-storage-account-name>,password=<your-storage-account-key>,dir_mode=0777,file_mode=0777,sec=ntlmssp

Replace <your-storage-account-name> with the name of your storage account, <your-file-share-name> with the name of your file share, and <your-mount-point> with the mount point on your Linux machine.

If you are still facing issues, please let me know and provide me with more information about the error message you are receiving.

You can also check DNS resolution and connectivity to your Azure file share. To mount or access a file share successfully, your client must be able to resolve the fully qualified domain name of the storage account to the correct IP address for the desired network endpoint of the storage account. Establish a successful TCP connection to the correctly resolved IP address on the correct port for the desired protocol.

References:

• Troubleshoot Azure Private Endpoint connectivity problems
• Troubleshoot Azure Files
• Troubleshoot Azure Private Link Service connectivity problems
• Troubleshooting connectivity problems between Azure VMs

Additional information:

Connecting to an Azure Storage Account using Azure VPN without public IP access can be challenging. Here are some steps and considerations that might help you troubleshoot the issue:

1. Azure VPN Client Setup: Ensure that you have the latest Azure VPN profile provisioning. If you’re encountering difficulties, you can manually import the VPN profile using the Azure VPN Client application. This might help establish a secure connection to the Azure network
2. Private IP Address: To connect to resources like VMs or storage accounts, you need to know their private IP addresses. If you’re unable to ping the private endpoint, it could be due to insufficient network routes provided by the VPN. In such cases, a new peering setup might be required for the VPN gateway2
3. Always On VPN Configuration: For a more persistent connection, consider configuring an Always On VPN user tunnel. This setup ensures that your VPN connection remains active and could help maintain a stable connection to your storage account3

DNS Resolution: If resolving PrivateLink gives you the public address, it might be a DNS issue. Ensure that your DNS settings are correctly configured to resolve to the private IP address of the private endpoint within the Azure network.

1. Troubleshooting Connectivity: If you’re unable to reach the Azure storage account via port 445, it could be blocked by your organization or ISP. Using Azure P2S VPN, Azure S2S VPN, or Express Route can help tunnel SMB traffic over a different port4
2. Private Endpoint Configuration: Using private endpoints for your storage account allows clients on a VNet to securely access data over a Private Link. The private endpoint uses an IP address from the VNet address space, eliminating exposure from the public internet. This setup is crucial for secure access from on-premises networks connected to the VNet via VPN or ExpressRoute

Remember to check the network security group (NSG) rules and the storage account’s firewall settings to ensure they’re not blocking the desired traffic. If the issue persists, I would like to work offline on this issue.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.