Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
220 questions
Storage Account firewall with VWAN/secure virtual hub
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 70%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Shane Corgatelli
40
Reputation points
We have an Azure Virtual WAN, secured virtual hubs, and P2S VPN. I also have an azure storage account with the firewall enabled to allow traffic from the virtual hub public IP. I'm trying to lock down access so the user has to be on VPN to access the storage account content. I would also like them to be able to access the contents from the Azure portal while on VPN rather than requiring storage explorer (with a private endpoint).
In theory I should be able to access the storage account when connected to the VPN. However, I get a message saying that "This storage account's 'Firewalls and virtual networks' settings may be blocking access to storage services. Try adding your client IP address". The error message shows the secured virtual hub public IP that is included in the storage account firewall allowed IP ranges. If I add my local public IP access works as expected while not on the VPN.
Both the storage account and the secured virtual hub are in the same region. Reviewing the storage account logs, the connection is shown as coming from the private client IP address rather than the virtual hub public address. I have a similar setup for Cosmos DB and it is working as expected while on VPN.
Is this a known problem and are there any recommended solutions?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde (Quadrant Resource LLC) 265 Reputation points Microsoft Vendor2024-10-04T08:14:56.78+00:00 Hi @Shane Corgatelli,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
Appreciate your patience.
Thanks.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 265 Reputation points Microsoft Vendor
2024-10-04T16:13:13.9866667+00:00 Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
- If you configured a private endpoint in your setup, make sure you have selected IP allocation as static.
Kindly let us know if the above helps or you need further assistance on this issue.
Thanks,
Sai Prasanna.
-
Shane Corgatelli 40 Reputation points
2024-10-04T16:27:28.48+00:00 I did try adding the private client IP address. Storage account firewall does not allow private IP addresses.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 265 Reputation points Microsoft Vendor
2024-10-07T11:11:54.8233333+00:00 Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
- If you are using private endpoint in your setup, you need to use private DNS resolver in your Virtual network or else you need to have custom DNS setup in your Vnet. For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#dns
- DNS lookup it should resolve to private ip address, so you need to use either Azure Private Resolver with on-premises DNS forwarder or Azure Private Resolver for virtual network and on-premises workloads. For your reference: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#on-premises-workloads-using-a-dns-forwarder:~:text=on%2Dpremises%20workloads-,Azure%20Private%20Resolver%20with%20on%2Dpremises%20DNS%20forwarder,Azure%20Private%20Resolver%20for%20virtual%20network%20and%20on%2Dpremises%20workloads,-Virtual%20network%20workloads
Kindly let us know if the above helps or you need further assistance on this issue.
Thanks,
Sai Prasanna.
Sign in to comment
Sign in to answer