Azure Files
An Azure service that offers file shares in the cloud.
1,425 questions
Issues about storage private link and VPN S2S connectivitity
Mateus Parente
30
Reputation points
Dears,
Can you help me out with the following situation, please?
We connected our on-premise network to a VNET using a site-to-site (with Meraki) VPN connection. So far, looks good, and we are able to reach private IPs from our on-premise machine. Via internet, we are also able to mount SMB file shares directly using the UNC path, as the machines are domain-joined and the storage account has active directory with kerberos enabled.
Our goal is to block the internet for these machines, forcing all the integrations with Azure to go through the VPN tunnel, so, for this
- I created a private link for the storage account and linked to the respective VNET
- Deployed an Azure DNS private resolver, to resolve the storage account URL to the private link
- Pointed the Azure DNS private resolver inbound IP to our Meraki DNS configuration
Performing a nslookup on ourstorage.file.core.windows.net seems to be resolving to the private link and private ip on the respective machine, but does not connect when the internet is blocked. It just keeps loading something for a long time, and then throws a network connectivity error or credentials windows.
It is like to be able to work some endpoint needs to be whitelisted for the internet, but so far, no luck in identifying.
Is there any limitation to achieving what we are trying to do?
Thanks in advance
Azure Files
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
779 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,545 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
551 questions
{count} votes
-
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator2023-08-31T04:04:52.18+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to mount SMB file shares using the UNC path and private endpoint.
Can you let us know the following,
From an Azure VM in the same VNET as the Private EndPoint,
- Make sure the VM uses the Azure DNS private resolver inbound IP for DNS and resolves the storage endpoint to Private IP of the PE
- Do a nslookup <ourstorage.file.core.windows.net> and see if it resolves to the PE IP
- If this works, then please try to mount the file share from this VM using PE IP
- In case the above fails (or) you resolve to Private IP
- Update the Windows host file to resolved the PE IP
- Then try to mount the above.
- Update the Windows host file to resolved the PE IP
- Open powershell as admin and run,
tnc <ourstorage.file.core.windows.net> -p 445
Before troubleshooting the OnPrem side, it's better to make sure the PE and Private DNS Resolver works for a VM in Azure.
Please share the results.
Cheers,
Kapil
-
Mateus Parente 30 Reputation points
2023-08-31T13:43:00.56+00:00 Many thanks for the quick answer,
I've performed your tests and the result was the following
On my VM deployed on same VNET
- I did a nslookup on the storage account and it's been resolved to the private link and private IP, I tested the DNS private resolver connectivity creating a ruleset pointing to a fictitious domain and using a test DNS server, which worked, so seems all good on this side.
- Then I accessed the fileshare directly using the UNC path and that also worked
On the on-premise machine
- A nslookup on the storage accounts gives the same result of the VM, so it's been resolved correctly to the private IP
- The command below also says the Tcp test succeeded and the private IP is showing as remote address
tnc <ourstorage.file.core.windows.net> -p 445 - When accessing the fileshare directly using the UNC path it takes around 2-3 minutes and then throws an exception
"Windows can't find <ourstorage.file.core.windows.net>. Check the spelling and try again"
What connections are made when accessing a fileshare directly? Something I should whitelist for internet access?
Another thing to add: the storages, VM, VNET, and VPN connections are configured on UK South, but the on-premise machine is located on India. A latency could cause this kind of issue?
Thanks in advance.
-
Mateus Parente 30 Reputation points
2023-08-31T14:10:16.4133333+00:00 Many thanks for the quick answer,
(I may have sent this comment duplicated, as something went wrong here)I've performed the tests you asked for and the results are the following
On the VM in the same VNET I got
- I did a nslookup on <ourstorage.file.core.windows.net> and I got the private link and private IP
- To make sure the DNS private resolver was connected, I created a ruleset with a fictitious domain and a dns server for test, also also worked and I got the expected response
- Then I accessed the fileshare directly using the windows explorer \ourstorage.file.core.windows.net\test and it worked
On the on-premise machine
- I did a nslookup on <ourstorage.file.core.windows.net> and I got the private link and private IP
- Then I executed the command below and I got TctpTestSucceeded: true and the private IP as remote address
tnc <ourstorage.file.core.windows.net> -p 445 - Then I accessed the fileshare directly using the windows explorer \ourstorage.file.core.windows.net\test and it took around 2-3 minutes to load something and threw an error
"Windows can't find \ourstorage.file.core.windows.net\test. Check the spelling and try again."
What connections does this storage account with active directory integration make? What URL does it call? Maybe I need to whitelist something on my firewall as the internet is fully blocked here?
Also, is worth pointing out that the VM, VNET, Storage and VPN Connections are everything in UK South, but the on-premise machine is in India. Could latency be an issue in this case?
Thanks in advance,
-
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
2023-08-31T14:16:08.62+00:00 I would appreciate if you could perform one more test.
- Update the host file of the local server so that it resolves "ourstorage.file.core.windows.net" to the private IP of the PE
C:\Windows\System32\drivers\etc\hosts- And try to mount it again please.
- Also, please try from a different local machine in the same network
I don't think so latency could be the culprit here, at least not yet.
The error message indicates that it was not able to find the "ourstorage.file.core.windows.net".
Cheers,
Kapil.
-
Mateus Parente 30 Reputation points
2023-08-31T16:37:38.52+00:00 I tried that, unfortunately I got the same result
I did 3 tests today
I opened internet
In this case, the storage account mounting works properly
Even when the internet is disabled afterwards, it continues working until the machine gets restarted, which makes me think it can be some authentication token cached or even DNS cached.I've allowed only the storage public IP
In this case, it makes no difference, same problem.
Tried to put the private IP the hosts file
In this case, it makes no difference, same problem.
I don't know if any of these tests made some difference, but I got a different error at the end of the day. It took 15min after entering the unc path on windows explorer, but it showed up a windows credential popup (what should not happen anyway).
-
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator2023-09-04T06:35:35.0033333+00:00 @Mateus Parente I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to (AzCommunity@microsoft.com) referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
Thanks for your patience and co-operation.
Sign in to comment
Sign in to answer