Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,731 questions
Connection to Azure Storage account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 7.000000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Apurva Pathak
315
Reputation points
Hi folks,
I have a machine that has a route table associated with it which transfers 0.0.0.0/0 to our NVA. I enabled Service Endpoint of Azure Storage in the subnet of the VM and as expected a route to the 'VirtualNetworkServiceEndpoint' got created for all the relevant IPs of Storage service.
The Storage Account doesn't have any PE associated with it, now if traffic is leaving to the Azure Storage, at the route table it should be getting two routes; i.e.
- SDR: StorageServicetagIPRanges --> 'VirtualNetworkServiceEndpoint'
- UDR: 0.0.0.0/0 --> 10.X.X.X
As per the routing preferences mentioned here, Azure picks up the longest prefix to route the traffic to, which means my UDR (which directs all traffic to NVA) 0.0.0.0/0 should be ignored and SDR (which is specific to the service IP ranges) should be picked, and the traffic should go to Storage Account directly (OfCourse via Service Endpoints) rather than my NVA.
But, this is not happening, when I am doing a tracert, it is hitting my NVA. When I do a TNC it hits my NVA and it goes through that.
Could anyone please help me clarify this.
Azure routing preference snip:
tracert/ tnc results:
Effective routes on the VM's subnet(as per my current understanding Green routes should be preferred to Red ones on the basis of longest prefix):
Thanks in advance!
Cheers!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee2024-03-06T03:01:50.99+00:00 Thank you for reaching out.
When using service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. I do not think running a tracert will be a correct way to test the route here. You can follow the steps mentioned below to test the Next hop and the route.
- Once you configure service endpoints to a specific service, validate that the service endpoint route is in effect by: Validating the source IP address of any service request in the service diagnostics. All new requests with service endpoints show the source IP address for the request as the virtual network private IP address, assigned to the client making the request from your virtual network. Without the endpoint, the address is an Azure public IP address. For Azure storage you can use Azure Monitor Logs tables here to determine the callerIpAddress.
- You can also try the Test network communication using Network Watcher next hop test here along with the check above.
Thank you!
-
Apurva Pathak 315 Reputation points
2024-03-06T07:05:50.6866667+00:00 Thanks for your findings!
However, I have validated that the traffic is hitting my NVA which supports the fact that traffic is taking the UDR path (i.e. 0.0.0.0/0 --> NVA).
Could you please suggest further!
Thanks!
-
ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee
2024-03-13T02:32:55.4133333+00:00 Thank you for getting back and apologies for the delay. To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else please refer to my private message here. Thank you!
-
Apurva Pathak 315 Reputation points
2024-03-13T10:29:18.25+00:00 We've opened a case. Thanks a lot for your suggestions!
-
ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee
2024-03-15T20:56:07.5033333+00:00 Thank you for getting back, can you please share the support ticket with us via private message? Thanks
-
Timmy Malmgren 886 Reputation points2024-04-05T10:26:16.0566667+00:00 Late to the party here :) this might already be solved, but one clarification that is good to remember, UDR as you have set up will "override" Azures Default routes, so from the information provided it looks like it is expected behavior to send the traffic to the NVA, since the storage account have public (internet) IP.
Hope this is helpful and remember shared knowledge is the best knowledge 😊
Best Regards,
Timmy Malmgren
If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!
-
Apurva Pathak 315 Reputation points
2024-04-05T11:16:59.4933333+00:00 Hi @Timmy Malmgren ,
Thanks for your inputs!
But, SDRs have longer prefix then shouldn't it be picked up for traffic.
As per the routing preferences mentioned here, Azure picks up the longest prefix to route the traffic to, which means my UDR (which directs all traffic to NVA) 0.0.0.0/0 should be ignored and SDR (which is specific to the service IP ranges) should be picked, and the traffic should go to Storage Account directly (OfCourse via Service Endpoints) rather than my NVA.
Thanks!
-
Timmy Malmgren 886 Reputation points
2024-04-05T12:05:37.13+00:00 Its diffrent for the 0.0.0.0/0 UDR :) copy/pasted the section about it, but you can read more about how Azure handles routing here.
But since you have service endpoint configure you are correct (my bad) it should follow the service endpoint and access the storage account without going trough the NVA.
When you override the 0.0.0.0/0 address prefix, not only does outbound traffic from the subnet flow through the virtual network gateway or virtual appliance, but the following changes also occur with Azure's default routing:
- Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. When the next hop type for the route with the 0.0.0.0/0 address prefix is Internet, traffic from the subnet destined to the public IP addresses of Azure services never leaves Azure's backbone network, regardless of the Azure region the virtual network or Azure service resource exist in. When you create a user-defined or BGP route with a Virtual network gateway or Virtual appliance next hop type however, all traffic, including traffic sent to public IP addresses of Azure services you haven't enabled service endpoints for, is sent to the next hop type specified in the route. When you enable a service endpoint for a service, Azure creates a route with address prefixes for the service. Traffic to the service doesn't route to the next hop type in a route with the 0.0.0.0/0 address prefix. The address prefixes for the service are longer than 0.0.0.0/0.
You're no longer able to directly access resources in the subnet from the Internet. You can access resources in the subnet from the Internet indirectly. The device specified by the next hop type for a route with the 0.0.0.0/0 address prefix must process inbound traffic. After the traffic traverses the device, the traffic reaches the resource in the virtual network. If the route contains the following values for next hop type:
-
Timmy Malmgren 886 Reputation points
2024-04-05T12:08:05.05+00:00 hmm but at the same time it says it should access it with service endpoint, im a little uncertain about that part to be honest i might need to test it alittle :)
-
Apurva Pathak 315 Reputation points
2024-04-05T14:56:31.11+00:00 Hi @Timmy Malmgren ,
That's exactly what my point is.
If traffic traffic from a service point enabled subnet is leaving to the service it should be getting two routes; i.e.- SDR: StorageServicetagIPRanges --> 'VirtualNetworkServiceEndpoint'
- UDR: 0.0.0.0/0 --> 10.X.X.X
As per the routing preferences mentioned here, Azure picks up the longest prefix to route the traffic to, which means my UDR (which directs all traffic to NVA) 0.0.0.0/0 should be ignored and SDR (which is specific to the service IP ranges) should be picked, and the traffic should go to Storage Account directly (OfCourse via Service Endpoints) rather than my NVA.
The same is suggested in the link which you've given above, pasting a snip below.
Red: Traffic related to non-service endpoint enabled services, will go to NVA following 0.0.0.0/0 route from UDR because it doesn't have any secondary route.
Yellow: Traffic related service endpoint enabled services should go to Azure backbone because enabling service endpoints creates SDR with IP ranges of Azure services which have longer address prefixes and should be preferred over UDR with 0.0.0.0/0.
Awaiting your further comments on this!
Thanks a lot for looking into this!
Cheers!
Sign in to comment