Cannot mount azure file storage in some networks.

Question

I can't mount the azure file storage on some networks. The issued network can't see any error messages while connecting.

For a testing purpose i have disabled my laptop firewall for a while, but still issue exist.
How can we solve the issue without the ISP support...?

While do trace route to azure, the destination host unreachable from azure side.
Note: i do not configure any firewall rules yet in azure portal.
Please clearly explain anyone.
Thank you,

Answer 1

Hi Sandeep,

You may need to configure port 445 to be open on your Azure's network/firewall properties:

Virtual network or firewall rules are enabled on the storage account

If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access.

Solution

Verify that the VNET and firewall rules are configured properly on the storage account and the port 445 is allowlisted. To test if virtual networks or firewall rules cause the issue, you can temporarily change the setting on the storage account to Allow access from all networks. To learn more, see Configure Azure Storage firewalls and virtual networks.

Cited from https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/connectivity/files-troubleshoot-smb-connectivity?toc=%2Fazure%2Fstorage%2Ffiles%2Ftoc.json&tabs=linux#solution-for-cause-2-2

Also, a tracert cmd does not always return information if the host has disabled ICMP echo requests.

---

If this is helpful please accept as answer or upvote.

Best regards,

Dillon Silzer | Cloudaen.com | Cloudaen Computing Solutions

Answer 2

Hello Sandeep,

Greetings! Welcome to Microsoft Q&A Platform.

Based on your error I would recommend to test and confirmed Test-NetConnection succeeded in reaching port 445. The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked. You can check if your firewall is blocking port 445 with the Test-NetConnection cmdlet. To learn about ways to work around a blocked 445 port, see the Cause 1: Port 445 is blocked section of our Windows troubleshooting guide.

To check if your firewall or ISP is blocking port 445, use the AzFileDiagnostics tool or Test-NetConnection cmdlet.

SMB has always been a network file sharing protocol. As such, SMB requires network ports on a computer or server to enable communication to other systems. SMB uses either IP Port 445 . 445 is an important port because it is used by default for all SMB communication. Windows uses it for various functions since SMB serves as the network protocol at the application level.

You can talk to the ISP to check if they can allow all communication to URLS ".file.core.windows.net " (Suffix used for storage accounts) and ".store.core.windows.net" (Suffix used by the storage stamp).

Resolution:

Solution 1 - Use Azure File Sync Azure File Sync can transform your on-premises Windows Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS. Azure File Sync works over port 443 and can thus be used as a workaround to access Azure Files from clients that have port 445 blocked. Learn how to setup Azure File Sync.

Solution 2 - Use VPN By Setting up a VPN to your specific Storage Account, the traffic will go through a secure tunnel as opposed to over the internet. Follow the instructions to setup VPN to access Azure Files from Windows.

Solution 3 - Unblock port 445 with help of your ISP/IT Admin Work with your IT department or ISP to open port 445 outbound to Azure IP ranges.

Solution 4 - Use REST API based tools like Storage Explorer/Powershell Azure Files also supports REST in addition to SMB. REST access works over port 443 (standard tcp). There are various tools that are written using REST API which enable rich UI experience. Storage Explorer is one of them. Download and Install Storage Explorer and connect to your file share backed by Azure Files. You can also use PowerShell which also user REST API.

Additional information: You can mount the file share on your local machine by using the SMB 3.0 protocol, or you can use tools like Storage Explorer to access files in your file share. From your application, you can use storage client libraries, REST APIs, PowerShell, or Azure CLI to access your files in the Azure file share.

Azure Files only allows connections using SMB 3.0 (with encryption support) from outside the region or datacenter. SMB 3.0 protocol has introduced many security features including channel encryption which is very secure to use over internet. However its possible that port 445 has been blocked due to historical reasons of vulnerabilities found in lower SMB versions. In ideal case, the port should be blocked for only for SMB 1.0 traffic and SMB 1.0 should be turned off on all clients.

Azure Files only allows connections using SMB 3.0 (with encryption support) from outside the region or datacenter. SMB 3.0 protocol has introduced many security features including channel encryption which is very secure to use over internet. However its possible that port 445 has been blocked due to historical reasons of vulnerabilities found in lower SMB versions. In ideal case, the port should be blocked for only for SMB 1.0 traffic and SMB 1.0 should be turned off on all clients.

You can mount the file share on your local machine by using the SMB 3.0 protocol, or you can use tools like Storage Explorer to access files in your file share. From your application, you can use storage client libraries, REST APIs, PowerShell, or Azure CLI to access your files in the Azure file share.

Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.