Share via

how to access azure storage account using private endpoint via azure P2S

$@chin 130 Reputation points
2024-06-19T16:13:30.1966667+00:00

hi,

A scenario where a client is using Point-to-Site connectivity and attempting to connect to an Azure Storage account through its private endpoint, the issue arises when the Storage account FQDN resolves to a public IP instead of the private endpoint IP. This results in a situation where users trying to connect using Storage Explorer encounter the error message: 'This request is not authorized to perform this operation without using the ER or S2S tunnel.

Can this be achieved using P2S ?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
708 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,302 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,008 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,578 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
524 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 48,086 Reputation points Microsoft Employee
    2024-06-24T06:01:10.07+00:00

    @$@chin ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you have a requirement that P2S users have to connect a Storage Account's private endpoint.

    Silvia Wibowo's suggestion is correct.

    • Adding Add DNS suffixes would make the DNS requests for *.blob.core.windows.net go via the P2S Tunnel
    • However, just using the DNS Suffixes is not enough.
    • You should also use a custom DNS server in Azure if you want Private endPoints to be resolved.
      • This means, you should have a VM acting as DNS Server located in Azure VNET where the VPN Gateway is deployed.
      • In addition, the VM DNS Server should have a forward lookup zone for "blob.core.windows.net" and forward the requests to Azure Wireserver IP - 168.63.129.16.
    • You may wonder why you cannot directly forward the requests to 168.63.129.16 without ever deploying a VM DNS Server
      • The answer is that 168.63.129.16 is a virtual IP and it will accept only DNS queries from VMs in Azure
      • Not directly from P2S Clients.
    • See : Use a DNS forwarder VM
      • User's image
      Steps 1 and 2 are done by Add DNS suffixes and custom DNS server

    The recommended method is to use Azure DNS Private Resolver instead, which can act as a DNS VM in Azure and has less management overhead.

    For non-production scenarios,

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 4,491 Reputation points Microsoft Employee
    2024-06-20T02:29:50.0566667+00:00

    Hi @$@chin , I understand that you're having issues connecting to Azure Storage private endpoint via VPN P2S.

    Modify the downloaded profile XML file (for Azure P2S Client) and add these tags:

    <dnssuffixes> <dnssuffix>.privatelink.blob.core.windows.net </dnssuffix> </dnssuffixes>

    Reference: Add DNS suffixes

    If <dnssuffix>.privatelink.blob.core.windows.net</dnssuffix> does not work, try <dnssuffix>.blob.core.windows.net</dnssuffix>

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.