Accessing Storage Account from Different tenent VM

Question

Hello Team,

I am trying to access Storage account from different Azure VM.

I have provided public ip in storage account of that VM in firewall. Still it not able to connect.

May it both resources are in same region.

I have tried to add VM subnet details in storage firewall using this command:

az storage account network-rule add --resource-group "xxx" --account-name "yyy" --subnet "/subscriptions/aaa/resourceGroups/edllive/providers/Microsoft.Network/virtualNetworks/bbb/subnets/ccc"

I have created private endpoints of taht storage

Then enabled Global services on for VM using this command:

Get-AzVirtualNetwork -ResourceGroupName "xxx" -Name "yyy" | Set-AzVirtualNetworkSubnetConfig -Name "zzz" -AddressPrefix "x.x.x.x/24" -ServiceEndpoint "Microsoft.Storage.Global" | Set-AzVirtualNetwork

Still I am facing issue.

Failed to access the service endpoint "https://ooooo.blob.core.windows.net/" (status code: 0, status text: "error"). This failure could be due to your network blocking access to the endpoint, for instance through a firewall. Click on this box to open the endpoint in a new tab. If the page fails to load, make sure your network allows access to the endpoint.

Could you please help in this

Thanks

Satyajit

Answer 1

Hi Satyajit, Welcome to MS Q&A

I think above az command use to enable service endpoint on the subnet of the VM seems not right so thats why service endpoint communication is not setup

To configure service endpoints for a subnet in Azure, you can use the Set-AzVirtualNetworkSubnetConfig cmdlet with the -ServiceEndpoint parameter. Here is an example command to configure service endpoints for a subnet:

Set-AzVirtualNetworkSubnetConfig -Name 'zzz' -VirtualNetwork $virtualNetwork -AddressPrefix 'x.x.x.x/24' -ServiceEndpoint 'Microsoft.Storage'

In this command, you need to replace 'zzz' with the name of the subnet you want to configure, and $virtualNetwork with the virtual network object. You can get the virtual network object using the Get-AzVirtualNetwork cmdlet.

For more information, you can refer to the following resources:

• Restrict network access to PaaS resources with virtual network service endpoints using PowerShell
• Azure Virtual Network frequently asked questions (FAQ)

You can also please check below doc to do it manually

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-portal

Please check and let us know if any further questions

Kindly accept answer if it helps

Thanks
Deepanshu

Answer 2

Hello Satyajit,

Greetings! Welcome to Microsoft Q&A Platform.

I understand that you're trying to access Storage account from different Azure VM. While doing this, you're getting an error that "Failed to access the service endpoint "https://ooooo.blob.core.windows.net/" (status code: 0, status text: "error"). This failure could be due to your network blocking access to the endpoint, for instance through a firewall. Click on this box to open the endpoint in a new tab. If the page fails to load, make sure your network allows access to the endpoint".

Private endpoints provide a secure way to access Azure services such as Azure Storage Accounts over a private connection within a virtual network (VNet), rather than over the public internet.

Try clearing your browser’s cache can resolve unexpected issues and also please ensure that the service principal or user has the necessary permissions on the virtual network in the subscription level. Specifically, they need the ‘Microsoft.Network/virtualNetworks/subnets/join/action permission’. This is typically included in the Network Contributor role also make sure that the user account which accesses the storage account coming from the subnet has an eligible role assignment to access the storage account. So for example, if the user should be able to read and write blob data, add a Storage Blob Data Contributor role for your user.

Browser extensions can sometimes interfere with the Azure portal. Try disabling them temporarily to see if that helps. Some users have reported that disabling certain accessibility settings in Edge can help. You can try going to edge://accessibility and unchecking "Web Accessibility".

If you’ve recently granted permissions or made changes, try refreshing your credentials by signing out and signing back in to the Azure portal. Sometimes, cached credentials can cause issues.

Also, a similar issue is discussed in the Answer section of the following SO thread: https://stackoverflow.com/questions/68988514/azure-storage-account-firewall-permissions-for-vulnerability-assessment.

Please consider checking the below troubleshooting steps to resolve the issue,

1. By default, storage accounts accept connections from clients on any network. However, for limiting the access to selected networks, first step is to you must first change the default action.
2. Azure Storage provides a layered security model allowing you to secure your storage accounts to a specific set of allowed networks. When network rules are configured specifically, then only applications from allowed networks can access a storage account.
3. When you do "Select Networks" -> Which by default means access is blocked from all networks irrespective of whether same VNET.
4. The term "Select Network" , itself means provide access from Selected Networks. (So If you don't select the network - then It can't be accessed from any where)
5. Now open up access by adding the specific VNET -> Again in that VNET -> If you observe we can select to which subnet access needs to be given i.e. you are configuring storage accounts to allow access only from specific subnets
6. To summarize : If the source request is coming from an Azure VM in the same Azure VNet and from same region, then the Azure storage firewall should be configured to allow the traffic by adding the VNet/Subnet within the “Virtual networks” section.
7. The main use of Private Endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link . The private endpoint uses an IP address from the VNet address space for your storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet
8. Basically , using private endpoints for your storage account enables you to: a) Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service. b) Increases security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet. c) Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

reference: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip

refer troubleshooting article and doc for more detailed guidance - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal, https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference, https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-storage-firewall-issues/ba-p/1944730.

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

Satyajit, Adding more informations to the above response.

It seems you're encountering a complex issue with accessing an Azure Storage account from a different Azure VM. Here are a few steps and considerations that might help resolve the problem:

1. Check Network Connectivity: Ensure that the Azure VM and the Storage account are part of the same virtual network and subnet. You can verify this through the Azure Portal or by performing an nslookup on the storage account to see if it resolves to the private IP address assigned to the FQDN under the private endpoint configuration.
2. Firewall and Virtual Network Rules: Make sure that the firewall and virtual network rules on the storage account are configured correctly. If necessary, temporarily change the setting on the storage account to "Allow access from all networks" to test if these settings are causing the issue.
3. Private Endpoint Configuration: Since you've created private endpoints for the storage, ensure that they are correctly configured and that the VM is able to resolve the storage account's private endpoint.
4. Service Endpoints: The command you used to enable global services on the VM subnet should have the correct parameters. Double-check the command syntax and the parameters to ensure they are accurate.
5. Storage Account Access Keys: Verify that the Azure VM has the correct storage account access keys and that they are being used properly in the connection attempt.
6. Azure Storage Explorer: If you're using Azure Storage Explorer, ensure that it's configured to work with private endpoints. Sometimes, the issue might be with the Storage Explorer setup rather than the Azure infrastructure.
7. Microsoft Q&A and Support: If the issue persists, consider reaching out to Azure Support for more personalized assistance. They can provide guidance specific to your Azure environment and setup. If not please let me know I would like to work closer on this issue.

Reference:

Traffic path between Azure storage account and Azure VM
Azure vm stopped unexpectedly, says "Storage account xxxxxxxx not found,...."
How can Azure VM with private IP connect to Azure Storage account via internet
Access to Azure storage account from Azure VM using Storage Explorer

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.