Access Azure Storage on Local Laptop Via Azure VPN Client and Virtual Network Gateway

Tom McCartan 25 Reputation points
2024-09-24T15:13:48.95+00:00

I have the following Scenario

  1. A VNET Configured for our Development Team
  2. An Azure Storage Account Configured within the VNET that is not allowed access to specific IP Addresses, only within the VNET
  3. A Private Endpoint Configured for the Azure Storage Account
  4. A Virtual Network Gateway Configured within the VNET with Point-To-Site
  5. Ability to use Azure VPN Client
  6. On-Prem Developers on their local Laptops, connect to the Azure VPN Client, Connect to the Virtual Network Gateway Point-to-Site Network using their Azure Entra ID.
  7. Use Azure Storage Explorer to connect to the Azure Storage Account and view Blobs.

Steps 1-6 seem to work fine and are configured. But they are not able to access the Azure Storage Account.

If the Developer does NSLOOKUP on the Storage Account Private Link, it resolves to the Public IP, not the Private IP, so I believe this is the issue.

NOTE: If I have a VM in the VNET, and Connect to the VM, via RDP, and do the NSLOOKUP on the Private Link of the Azure Storage account, it correctly resolves to the Private IP, and I am able to use Azure Storage Explorer, on the VM to access the Blobs. But I really want local users on their laptop to use Azure VPN Client to just connect to Azure Storage Explorer using the VNG.

Is this a supported configuration?

VPN Configuration with SubNetsUser's image

User's image

VNG Point-To-Site ConfigurationUser's image

Storage Private Endpoint ConfigurationUser's image

Storage Network Config

User's image

NSLOOKUP

User's image

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Rohith Vinnakota 595 Reputation points Microsoft Vendor
    2024-09-26T21:44:20.68+00:00

    Hi Tom McCartan,

    Good day!

    Apologies for the delay and inconvenience.

    I have created the scenario on my side. I used the Azure DNS Private Resolver.

    1. Create the Private DNS Resolver and add existing vnet where all resources have.

    Note: Create a new subnet in the vnet

    Screenshot 2024-09-27 025422

    2.Create the Inbound Endpoint after that create.

    Screenshot 2024-09-27 025603

    3.Add this Ip in the DNS server in the vnet and restart the vm, disconnected the vpn.

    User's image

    4.Try to connect the storage account in the Azure Storage explorer.

    I hope it's helps you.


    If you have any further concerns, please do not hesitate to contact us.

    We are pleased to help you.

    If the information is helpful, please click on "Upvote" and "Accept Answer" so that it would be helpful to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.