External customer unable to access Storage account container blobs from their own Azure VM

Question

Hi,

I have the following scenario with one of our customers, as they are unable to access the Blobs via SFTP:

Us:

• I've created a Storage Account Container in our Azure tenant
• I've setup an account for our customer to access both Prod and Dev Blobs, using username and password.
• I have whitelisted their Public IP address

Our customer:

• They have a VM setup in their Azure tenant with a public IP address

If I allow any network, the customer is able to connect.

If I only allow their Public IP address, then when they try to connect via SFTP, the connection is disconnected straight away.

I have tested it using my own Public IP address and I can access it fine. Even when our customer's employees are trying from their own computers, after I whitelist their Public IP address, they are able to connect fine.

Any clue why this might happen? Any help is much appreciated!

Regards,
Simone

Answer 1

It is possible that the customer's public IP address is not static and may be changing frequently. In this case, if you have whitelisted a specific IP address, it may become outdated and not match the current public IP address of the customer's VM, which could result in the connection being disconnected.

Another possibility is that there might be a firewall or network security group rule blocking the connection from the customer's VM to your storage account container. You can verify this by checking the customer's network security group rules to ensure that the required ports for SFTP (port 22) are open and allowed for outgoing traffic.

Additionally, you can check the logs in your storage account to see if there are any error messages

Answer 2

@Simone Lavagna Thanks for reaching out to Microsoft Q&A.

I understand that your customer is unable to connect to Storage Account via SFTP when you whitelist their Public IP and disallow access to all networks in the Storage FW. All other IPs seem to be working alright.

1. Do they use a domain name or IP address to connect to the storage account? If so, what is the domain name and what IP does it resolve to?
2. Is there any other service in front of this VM because of which the IP may be changing?
3. Is this VM in the same region as the storage account's region?

In order to troubleshoot this, please use the monitoring tool to find the connection logs for SFTP and determine the IP that is being sent to the storage account. This needs to be done while allowing all traffic in the Storage FW so the traffic is let inside the account and then monitor the logs to determine the Source for the same.

Here is an example thread that discusses monitoring SFTP connections using Azure Monitor- https://learn.microsoft.com/en-us/answers/questions/1163494/where-to-find-connection-logs-for-azure-blob-stora

Please let me know. Thank you!

Answer 3

Neah, it's none of the above.

@Simone Lavagna

Your Storage blob with SFTP is in the same Azure region as the client VM connecting. Microsoft cannot route "via the internet" their traffic into your storage. If you can monitor your storage connections you will see the connection (when you allow all IPs) is coming from the private IP of the client's server.

We have the same and it's driving us insane ! There doesn't seem to be a fix to force routing of the traffic via the internet. (even if at the storage level you specifically allow the Internet route and use the storage internet route URL).

We're looking now at forcing our traffic somehow through another region.. thorough some sort of proxy or something.