ACI stuck in waiting status when I add a private endpoint to storage account

Question

ACI stuck in waiting status when I add a private endpoint to storage account

Guillaume LOR 40

Hello,

I have a file share in a storage account to store the files of my azure container instance,

For security reasons I put it all in Vnets :

One subnet for the storage account
One subnet with delegation for the container instance

I wanted to add an endpoint to the storage account in order to have a little more security, but as the ACI mounts the mount volume in public it cannot access the storage account, and remains blocked in "waiting" status with error message "Failed to mount volume file shared.".

Is there a solution to this?

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-06-02T05:38:45.6466667+00:00

@Guillaume LOR Checking in to see if you got a chance to look at the comment above.
Guillaume LOR 40 Reputation points

2023-06-02T05:52:01.14+00:00

Hello,
Yes it's works perfectly with the service endpoint for us.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-06-02T07:18:49.9233333+00:00

@Guillaume LOR Thanks for sharing the update. Glad to know it worked.

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.

Accepted answer

0 additional answers

Your answer

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-06-02T05:38:45.6466667+00:00

@Guillaume LOR Checking in to see if you got a chance to look at the comment above.
Guillaume LOR 40 Reputation points

2023-06-02T05:52:01.14+00:00

Hello,
Yes it's works perfectly with the service endpoint for us.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-06-02T07:18:49.9233333+00:00

@Guillaume LOR Thanks for sharing the update. Glad to know it worked.

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.

Answer 1

KarishmaTiwari-MSFT 20,772 Microsoft Employee Moderator

@Guillaume LOR Thanks for posting your query on Microsoft Q&A.

Can you try creating a service endpoint instead of a private endpoint?
As per the documentation, if you are deploying container groups into an Azure Virtual Network, you must add a service endpoint to your Azure Storage Account.

Additional reading: How to create Azure container Instance (ACI) with Private Azure File as Mounted Volume

Craig Blackman 25 Reputation points

2023-08-10T09:28:33.18+00:00

I have the same situation as original question, using ACI with a private endpoint on a storage account and ACI remains blocked/waiting.
In the above answer it states to use service endpoint instead of private endpoint, however the post linked for additional reading looks as though a service endpoint and private endpoint are in use. (Appreciate it's not an MS article). So can you clarify if using a storage account with a private endpoint and ACI is possible? Perhaps providing an example network topology if so. Thanks.
Scott Hopwood 0 Reputation points

2023-08-18T07:19:25.7433333+00:00

Also, having it just staying in a Wait state indefinitely is very unhelpful
Ruchika Srivastava 0 Reputation points

2023-09-14T13:46:59.9+00:00

I have the same situation as described in the original question. Were any of you able to connect ACI to storage account with private endpoints?
Craig Blackman 25 Reputation points

2023-10-06T12:06:53.34+00:00

We could not connect ACI to a storage account using a private endpoint, we ended up using a service endpoint on the storage account but with network access restricted to a particular subnet for the ACI.
The subnet had to be delegated to Microsoft.ContainerInstance/containerGroups.

We still had other apps that need to connect to the storage account by private endpoint. So the key point I found was a private endpoint and service endpoint with subnet restriction can be used together, as enabling private endpoint does not restrict the public networking settings, unless configured explicitly.

Share via

ACI stuck in waiting status when I add a private endpoint to storage account

0 additional answers

Your answer