AuthorizationFailure error 403 when using private endpoint on storage account

Question

AuthorizationFailure error 403 when using private endpoint on storage account

Harshit Z Kothari 40

I have a storage account with proper private endpoint and dns configuration. Now, I am selecting disabled in networking, as I use org VPN and successfully can see the containers data. Other person is also using VPN, and facing an AuthorizationFailure 403 error. What could be the reason behind it? As there is a Private Endpoint on the storage account, the network setting should not block the traffic coming from VPN if I understood it correct, right? Could it be the role issue? I have storage account contributor, owner at subsription. The other person has storage blob data contributor, owner at subscription.

Harshit Z Kothari 40 Reputation points

2024-02-16T16:59:48.1666667+00:00
@KarishmaTiwari-MSFT

How long does the private DNS A record takes to be in effect?

That person is now able to access it.

It is strange with the Storage account that even after having the accurate configs, it doesn't allow to access and start working normally after some time. I have noticed this earlier as well, while poking around portal.

Current config of the storage is disabled in networking, and having 4 private endpoints.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2024-02-16T23:00:50.95+00:00

@Harshit Z Kothari Thanks for sharing the update.
Are you using a custom or on-premises DNS server?

New or updated DNS zones and DNS records appear in the Azure DNS name servers within 60 seconds.

For changes to existing records, DNS caching by DNS clients and DNS recursive resolvers outside of Azure DNS can affect timing. The cache duration is dependent on the Time-To-Live (TTL) property of each record set.

1 answer

Your answer

Harshit Z Kothari 40 Reputation points

2024-02-16T16:59:48.1666667+00:00

@KarishmaTiwari-MSFT

How long does the private DNS A record takes to be in effect?

That person is now able to access it.

It is strange with the Storage account that even after having the accurate configs, it doesn't allow to access and start working normally after some time. I have noticed this earlier as well, while poking around portal.

Current config of the storage is disabled in networking, and having 4 private endpoints.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2024-02-16T23:00:50.95+00:00

@Harshit Z Kothari Thanks for sharing the update.
Are you using a custom or on-premises DNS server?

New or updated DNS zones and DNS records appear in the Azure DNS name servers within 60 seconds.

For changes to existing records, DNS caching by DNS clients and DNS recursive resolvers outside of Azure DNS can affect timing. The cache duration is dependent on the Time-To-Live (TTL) property of each record set.

Answer 1

@Harshit Z Kothari

1.Verify that the VPN configuration is correct and that both of you can access other resources on the network without issues.
2. While the roles you both have should be sufficient, you could temporarily elevate the permissions to see if it resolves the issue, and then adjust them back to the appropriate level once resolved.
3.Check Azure Storage diagnostic logs for more detailed error messages that could provide insight into the problem. https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging or you can use Azure Storage logs in Azure Monitor (recommended solution for logging).

How long does the private DNS A record takes to be in effect? New or updated DNS zones and DNS records appear in the Azure DNS name servers within 60 seconds. For changes to existing records, DNS caching by DNS clients and DNS recursive resolvers outside of Azure DNS can affect timing. The cache duration is dependent on the Time-To-Live (TTL) property of each record set. Let me know if you are still seeing issues.

Share via

AuthorizationFailure error 403 when using private endpoint on storage account

1 answer

Your answer