Issues with Azure Storage Account (File Storage) when using private IP addressing and Private Endpoints

David Ashcroft 1 Reputation point
2022-10-27T17:18:46.067+00:00

Hi all, just a bit of background on this... I have an Azure tenant that has a VNET setup as a site to site VPN.

The Azure IP range is 10.2.0.0/16, split down into much smaller subnets. I have a server subnet for example on 10.2.1.0/24. If I provision a virtual machine in Azure on this subnet, I can access it on my LAN without issues since the site to Azure VNET is in place.

I have gone ahead and created a new Storage Account. Within that, I've created a File Share. I've configured Active Directory on prem using Powershell in order to generate a computer object in AD so that users can authenticate to the file share with the domain credentials. So under the File Shares section on Azure, Active Directory is showing as Configured.

I've configured IAM on the fileshare so that my account has the Storage File Data SMB Share Elevated Contributor role assigned to it. If I try to map the drive using the powershell script, or just by typing in the full UNC path from a domain joined computer \mydataname.file.core.windows.net\az-mydataname-01 it connects without issues, I don't get prompted for credentials since my use account already has access via IAM.

This is all good so far, however, I'd like to lock the share down so that it cannot be accessed externally in any way. Only directly within Azure and over our site to site VNET/VPN. At the moment
file.core.windows.net points to the external IP address to access that store. From the storage account, I went into Networking and selected the Private endpoint connections tab. I created a new endpoint within the same subscription and in the same Resource Group as the storage account. I selected the Target sub-resource as File. For the Virtual Network, I selected the Server subnet (10.2.1.0/24).

Once deployed, it seems to generate a network interface and a private endpoint, as well as some external DNS data.

The network interface has been given an IP address of 10.2.1.6, in my Azure servers subnet.
The private endpoint object has DNS configuration for: mydataname.privatelink.file.core.windows.net which points to 10.2.1.6 as expected.

Heading back into the storage account, if I go into Networking > Private Endpoint Connections I can see the related endpoint is now listed and auto approved.

So far, so good... I think...

This is where thing seem to go wrong... If I try to reconnect the file store on my computer, it fails.
If I go into the storage account and head into File Shares and then try to click on the file share, I now get an error:

This machine doesn't seem to have access. This browser doesn't seem to be able to reach the necessary data plane APIs that interact with the files in an Azure file share. Interacting with share content is different from managing the Azure file share. Managing the share from this browser could be possible while accessing operations like listing the contents of a file share might not be. This is an issue reported from your side of the network. Check that your machine, from the network it is connected to, is expected to have access. If that is the case, check your networking configuration (proxy configuration, IP rules, Azure network settings for storage, etc) in your organization to ensure Azure services can be fully accessed.
Details authMode: 1 content: endpoint: 2 message: undefined name: StorageError requestId: null url: https://mydataname.file.core.windows.net/az-mydataname-01?

This error seems to go aware if I remove the private endpoint connection... I'm not sure why this would be. The Public Network Access is still set toEnable from all networks.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,894 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Zohaib 5 Reputation points
    2023-12-21T08:38:02.9966667+00:00

    Hi @David Ashcroft

    I got the same issue, after hours of troubleshooting the issue is the communication to fileshare on HTTPS to access the data API. Ask network team to open the communication on HTTPS to fileshare.

    1 person found this answer helpful.
    0 comments No comments

  2. risolis 8,706 Reputation points
    2022-10-27T17:36:33.613+00:00

    Hello @David Ashcroft

    Thank you for sharing this question on this community space.

    I would like to gather the next article which fits into your previous statement the one you were describing previously.... So please direct yourself down below:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

    Furthermore, I wonder if you have configured these other settings as well:

    254798-image.png

    I hope you can find this useful to overcome your concern.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.