Connect to Azure Storage Account via Azure Storage Explorer and ExpressRoute

Question

Hello community,

I have a problem connecting to a storage account from the corporate network via an ExpressRoute.

Facts about the storage account:

• It is an Azure Data Lake Storage Gen2.
• The storage account is only accessible from selected networks. (no network is selected for the first time either)
• The storage account has a private endpoint (sub-resource blob) on the subnet1
• The private endpoint uses a custom private DNS zone. (not the regular privatelink.blob.core.windows.net).

Scenario 1:
When I connect to a VM located in subnet1 via a bastion host, open Azure Storage Explorer, connect to my Azure account and try to open the storage account, I get a 403 error.
However, if I add Subnet1 as an allowed network in the network settings of the storage account, the connection via the Storage Explorer works.

Scenario 2:
Our company has an ExpressRoute in use.The ExpressRoute is connected to the VNET and the corporate network. If I now open Azure Storage Explorer from my client laptop, connect to my Azure account and try to open the storage account, I get a 403 error again.
At this point, however, Subnet1 has already been added to the storage account as a allowed network.

What is the difference between the two scenarios?
Why can I connect successfully via the VM but not via the Express Route?

I have already tested and checked all firewalls and NSGs. (The port 443 is allowed).
I can also successfully connect from my laptop ( in the corporate network) to the Private Endpoint of the Storages account via the PowerShell command "Test-NetConnection" using port 443.

Do you guys have any ideas what else I can do to connect?
If any more information is needed, I'll be happy to supply it.

Thanks in advance!
Christopher

Answer 1

The storage account DNS name like 'storageaccount.file.core.windows.net' resolves to the private IP address of the private endpoint you set while creating the storage account. In-order to connect the storage account, the client such as storage explorer should resolve the private end point.
From an azure VM, 'storageaccount.file.core.windows.net' will resolve the private end point correctly.
But, when you try to resolve the name from your on-premises connected via Express route, it resolves to the public IP address of the storage account and which is not useful for accessing the storage account.
To ensure that the storage account name resolves to the private endpoint's private IP address, you must change the configuration on your on-premises DNS servers. This can be accomplished in different ways:

1. Modifying the hosts file on your clients to make storageaccount.file.core.windows.net resolve to the desired private endpoint's private IP address. This is not recommended for production work loads. However, for a quick test, this will help
2. Creating an A record for 'storageaccount.file.core.windows.net' in your on-premises DNS servers.
3. Forward the core.windows.net zone from your on-premises DNS servers to your Azure private DNS zone. To learn how to set up DNS forwarding by using PowerShell cmdlets, see Configuring DNS with Azure Files

----------

If the Answer is helpful, please click "Accept Answer" and upvote it