Azure File Share Access Off-Prem via P2S

Chris Roberson 30 Reputation points
2024-10-21T19:33:37.23+00:00

I have configured Azure File Shares that are available publicly currently. I have P2S VPN access for home users where port 445 is blocked, however I'm having issues with them being able to connect to the shares. I quickly figured out the issue was DNS related, as the fqdn was still resolving publicly as opposed to over the VPN. I fired up a DNS Private Resolver and updated the VPN config with the inbound endpoint IP. Initially that worked like a charm, and I assumed all was good. For some reason, it just stopped working. Running a Test-NetConnection only is successful in resolving the internal private endpoint IP (screenshot), with the VPN connected, and configured with the private resolver. Not sure what I'm missing?Screenshot 2024-10-21 152636

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,306 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Manu Philip 18,681 Reputation points MVP
    2024-10-22T05:02:14.9566667+00:00

    Hi Chris Roberson

    I have prepared a blog to explain the P2S and S2S connection of Azure File share. You can check the section How to get the file share, in P2S VPN network in my blog as below to see if that helps to figure out the issue

    Use an Azure file share with Windows in S2S or P2S VPN

    Hope this helps.


    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  2. Vinod Kumar Reddy Chilupuri 735 Reputation points Microsoft Vendor
    2024-10-22T09:25:40.9866667+00:00

    Hi Chris Roberson,

    Welcome to Microsoft Q&A, thanks for posting your query.

    Its seems like you are facing with DNS resolution when accessing Azure File Shares over a P2S VPN connection. Here are the few steps to check why the DNS Private Resolver stopped working as expected.

    Firstly, I would like to confirm if you have followed the steps mentioned in the document "Configure a Point-to-Site (P2S) VPN on Linux or Windows for use with Azure Files" to configure the P2S VPN connection on your Linux machine. If not, I would recommend you to follow the steps mentioned in the document to configure the P2S VPN connection.

    Once you have configured the P2S VPN connection, you can try to connect to your Azure Storage Account File share using the private endpoint. To do that, you need to make sure that your DNS resolution is set up correctly and is resolving the FQDN to the correct private IP address. You can use the "nslookup" command to test the resolver and verify that it is working correctly.

     

    nslookup <your-storage-account-name>.file.core.windows.net
    

    This command should return the private IP address of your storage account if the DNS resolution is set up correctly. If it returns the public IP address, then you need to check your DNS configuration.

    If the DNS resolution is set up correctly, you can try to connect to your Azure Storage Account File share using the private IP address of your storage account. To do that, you need to mount the file share using the following command:

     

    sudo mount -t cifs //<your-storage-account-name>.file.core.windows.net/<your-file-share-name> /mnt/<your-mount-point> -o vers=3.0,username=<your-storage-account-name>,password=<your-storage-account-key>,dir_mode=0777,file_mode=0777,sec=ntlmssp
    

    Replace &lt;your-storage-account-name&gt; with the name of your storage account, &lt;your-file-share-name&gt; with the name of your file share, and &lt;your-mount-point&gt; with the mount point on your Linux machine.

    If you are still facing issues, please let me know and provide me with more information about the error message you are receiving.

    You can also check DNS resolution and connectivity to your Azure file share. To mount or access a file share successfully, your client must be able to resolve the fully qualified domain name of the storage account to the correct IP address for the desired network endpoint of the storage account. Establish a successful TCP connection to the correctly resolved IP address on the correct port for the desired protocol.

    References:

    Additional information:

    Connecting to an Azure Storage Account using Azure VPN without public IP access can be challenging. Here are some steps and considerations that might help you troubleshoot the issue:

    1. Azure VPN Client Setup: Ensure that you have the latest Azure VPN profile provisioning. If you’re encountering difficulties, you can manually import the VPN profile using the Azure VPN Client application. This might help establish a secure connection to the Azure network
    2. Private IP Address: To connect to resources like VMs or storage accounts, you need to know their private IP addresses. If you’re unable to ping the private endpoint, it could be due to insufficient network routes provided by the VPN. In such cases, a new peering setup might be required for the VPN gateway2
    3. Always On VPN Configuration: For a more persistent connection, consider configuring an Always On VPN user tunnel. This setup ensures that your VPN connection remains active and could help maintain a stable connection to your storage account3

    DNS Resolution: If resolving Private Link gives you the public address, it might be a DNS issue. Ensure that your DNS settings are correctly configured to resolve to the private IP address of the private endpoint within the Azure network.

    1. Troubleshooting Connectivity: If you’re unable to reach the Azure storage account via port 445, it could be blocked by your organization or ISP. Using Azure P2S VPN, Azure S2S VPN, or Express Route can help tunnel SMB traffic over a different port4
    2. Private Endpoint Configuration: Using private endpoints for your storage account allows clients on a VNet to securely access data over a Private Link. The private endpoint uses an IP address from the VNet address space, eliminating exposure from the public internet. This setup is crucial for secure access from on-premises networks connected to the VNet via VPN or ExpressRoute

    Remember to check the network security group (NSG) rules and the storage account’s firewall settings to ensure they’re not blocking the desired traffic. If the issue persists, I would like to work offline on this issue.

     Similar Query:
    https://learn.microsoft.com/en-us/answers/questions/1346628/azure-files-p2s-to-private-endpoint-dns

    Please let us know if you have any further queries. I’m happy to assist you further. 


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  3. Chris Roberson 30 Reputation points
    2024-10-22T12:40:41.45+00:00

    Thank you @Manu Philip and @Vinod Kumar Reddy Chilupuri . Let me just explain a little more. I have the P2S VPN already configured using Azure Active Directory, and file shares configured using Microsoft Entra Kerberos. The setup you see in the screenshot is a laptop connected to my cell phone's hotspot (445 is blocked), simulating an off-prem (home, hotel, etc) environment. As you can see, the Azure VPN is connected, and I have the IP of my DNS Private Resolver configured (10.0.2.4). Doing an nslookup to the share FQDN still references the WiFi connections DNS, resolving the external IP of the share. Doing an nslookup and specifying the DNS Private Resolver resolves the private link of the storage accounts FQDN properly (10.0.0.200). This is where I'm hung up...how to successfully resolve the private link of the storage account while off-prem.Screenshot 2024-10-22 081353


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.