Issue Accessing Private Endpoint Enabled Storage Account via Azure Portal from On-Prem VM

Question

Hi Team,

We have configured the Azure Storage Account with Private Endpoints in our subscriptions and are currently attempting to access it through the Azure Portal from an on-premises virtual machine.

To enable name resolution, we have configured conditional forwarders on-premises for the Storage Account Private DNS Zone, pointing to the Azure Private DNS in Azure via private DNS resolver. DNS resolution appears to be working correctly, as the storage account FQDN resolves to the private endpoint IP address from the on-prem VM.

However, when attempting to access the Storage Account through the Azure Portal from the same VM, we receive a networking/firewall-related error indicating that the request is being blocked and inspecting it via the browser dev tools it makes the request on the public DNS on the storage account.

Could you please help us understand if there are any additional networking, firewall, proxy, or DNS considerations required for accessing Storage Accounts with Private Endpoints through the Azure Portal from an on-prem environment?

Answer 1

Hi Sumit,

This is typically caused by browser blocking access to local network. To allow, in your on premises VM, open Azure portal in browser, click on icon to left of url, make sure Local network is enabled, then refresh page.

Below are screenshots for Edge and Chrome showing it enabled:

Edge:

Chrome:

NOTE: If you are authenticating to the storage account using Microsoft Entra user account, you need to make sure you have assigned role to the user account to allow data plane access. For example, for blobs, assign Storage Blob Data Reader, Storage Blob Data Contributor, etc.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP