How can i configure storage account firewall to allow access to containers from P2S connected clients

Question

Hi!

I am currently running a POC for one our customers, and I am currently attempting to configure storage account firewall to allow blob/container access for clients connected to the tenant via a P2S connection (provided through Azure VPN Gateway).

I have configured Azure Storage Explorer on a sample windows client laptop to connect to the storage account via account name and key, and access works if i configure the firewall to allow access from my external RIP IP address at the office. However, I cannot configure the storage account firewall to allow internal IP ranges (such as the pool configured for the P2S connection).

Is there a way to configure access? Perhaps private endpoints somehow?

I'm not sure if using private endpoints is a possible solution (part baked or not), but I have since created a private endpoint and associated internal IP for the storage account and enabled Microsoft Storage service endpoint on the newly created storage account subnet. Peering means the subnet and storage account private endpoint IP should be reachable from the clients (I can see the subnet being published to the client when Azure VPN client connects), and no NSG is configured on the storage account subnet. However, access is still denied.

Can anyone please advise as to whether what I am trying to achieve is possible, and whether I need to perform extra steps around the private endpoint option (if that is viable) to get it to work?

Many thanks in advance guys!

Craig.

Answer 1

@Craig Stephenson Yes, it is possible to configure access to Azure Blob Storage for clients connected to your tenant via a P2S connection using private endpoints. Private endpoints allow you to access Azure services over a private endpoint in your virtual network, rather than over the internet, providing secure access to the service.

Here are some steps you can follow to configure access to Azure Blob Storage using private endpoints:

Create a private endpoint for Azure Blob Storage in the same virtual network as the client machines that will access it.

Associate an internal IP address with the private endpoint.

Enable the Microsoft.Storage service endpoint on the storage account subnet.

Configure the storage account firewall to allow access from the private endpoint's IP address.

Test the connection from the client machine to the storage account using the private endpoint's IP address.

If you have followed these steps and are still experiencing issues with access, you may need to perform additional troubleshooting steps. Here are some possible issues that could cause access to fail:

The client machines may not be able to resolve the private endpoint's DNS name. Ensure that you have configured DNS resolution correctly in your virtual network.

The client machines may not have the necessary network routes to reach the private endpoint. Check your network routes to ensure that traffic is correctly routed to the private endpoint's IP address.

The storage account firewall may not be correctly configured to allow access from the private endpoint's IP address. Double-check your firewall rules to ensure that you have allowed access from the correct IP address.

The client machines may be using a VPN client that is not compatible with private endpoints. Ensure that you are using a VPN client that supports private endpoints.

To resolve a private DNS name from P2S VPN client, You would need a DNS forwarder.

Refer: https://learn.microsoft.com/en-us/answers/questions/1163745/azure-virtual-gateway-not-resolving-private-dns-zo

I hope this helps you configure access to Azure Blob Storage using private endpoints.

Please let us know if you have any further queries. I’m happy to assist you further.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.