How to connect to Azure File Share via PtoS VPN (443 Blocked by ISP) -

Question

Hello all.

I have an Azure fileshare that I use as a mapped drive for SQL and file backups from my Windows Server 2019 machine. It is a mapped drive and was working just great until I changed ISPs. My new ISP blocks port 445. No problem I figure, I'll just set up this VPN it tells me about.

Well a couple hours later and I am still just stumped with a Sytem Error 53 the network path was not found. Everything up to the ver last step, mounting the drive, were followed and performed without any (evident) issues.

I followed several learn articles that seemd straightforward enough to create a virtual network, gateway subnet, generate self-signed certs, configure and connect the VPN, and finally mount the drive anew. But at the end I just get the error mentioned about. The primary learn article is this one: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows?tabs=azure-portal

What is weird is I have the IP being resolved, but even trying to ping the xyz.file.core.windows.net\abc doesn't work; it says it cannot find the host. Ping does work (sort of) against xyz.file.core.windows.net but resolves as an IP address and destination host unreachable.

NSLookup gives a result for xyz.file.core.windows.net but adding the \abc for the file share gives the error Non-existant domain.

PS C:\Windows\system32> $connectTestResult = Test-NetConnection -ComputerName xyz.file.core.windows.net
WARNING: Ping to ##.###.##.### failed with status: DestinationHostUnreachable
PS C:\Windows\system32> nslookup xyz.file.core.windows.net
Server:  WCR-GPServer.wcrlocal
Address:  192.168.1.42

Non-authoritative answer:
Name:    file.ytoxyzzyx.store.core.windows.net
Address:  ##.###.##.###
Aliases:  xyz.file.core.windows.net

PS C:\Windows\system32> nslookup xyz.file.core.windows.net\abc
Server:  WCR-GPServer.wcrlocal
Address:  192.168.1.42

*** WCR-GPServer.wcrlocal can't find xyz.file.core.windows.net\abc: Non-existent domain
PS C:\Windows\system32> net use Z: \\xyz.file.core.windows.net\abc /user:localhost\xyz ThIsIsAnAccessKey
System error 53 has occurred.

The network path was not found.

PS C:\Windows\system32> ping xyz.file.core.windows.net

Pinging file.ytoxyzzyx.store.core.windows.net [##.###.##.###] with 32 bytes of data:
Reply from ##.###.##.###: Destination host unreachable.
Reply from ##.###.##.###: Destination host unreachable.
Reply from ##.###.##.###: Destination host unreachable.
Reply from ##.###.##.###: Destination host unreachable.

Ping statistics for ##.###.##.###:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PS C:\Windows\system32> ping xyz.file.core.windows.net\abc
Ping request could not find host xyz.file.core.windows.net\abc. Please check the name and try again.

Also the VPN keeps disconnecting itself every hour or so. The learn articles reference an Always On VPN, but going to that learn article just opens a massive rabbit-hole involving ADDS and NPS servers. I can live with reconnecting the VPN every startup (or possibly I will find some script to connect automatically), but it seems very odd that it keeps being dropped.

The troubleshooters just tell me to open port 445. There is nothing about this I can find the in learn article troubleshooting section.

I am assuming I must have set up the subnet wrong or something, but I'm stuck! I hope you can help.

Answer 1

Depending on your requirements, you might be able to keep things simpler and save money by moving away from Azure Files and instead using Blob containers.

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction

Current versions of SQL Server can backup directly to a blob URI.

https://learn.microsoft.com/en-us/sql/relational-databases/tutorial-sql-server-backup-and-restore-to-azure-blob-storage-service?view=sql-server-ver16&tabs=SSMS

Not sure what you are using to do the server backups and whether that software integrates with Azure Blob storage but if it doesn't, you could have the backup file created locally and script a job using AzCopy to move it up to Blob storage.

https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10?tabs=dnf

There isn't anything built into Windows that I am aware of that is the equivalent of mapping blob storage as a convenient drive letter, but you could use Storage Explorer to interact with your backup data (supports drag and drop, copy and pasting of files and folders).

https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

The advantage of Blob storage over Azure Files is cost, and the communications protocol is HTTPS 443 TLS 1.2 instead of SMB (TCP 445) which I am assuming won't be blocked by your ISP. If you were using fine grain permissions on files and folders in your SMB file share, you would have to adapt that to a container-based permissions model using Entra identities.

If you wanted to pursue the VPN path, it probably makes sense to create a private endpoint, for your Azure Files, in a subnet within the same VNET that the P2S VPN places you.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints?tabs=azure-portal

From your client computers, you would need to affect the DNS so that your xyz.file.core.... resolves to that private endpoint private IP address. If you don't create a private endpoint + DNS, when you hit xyz.file.core, it is still going to resolve to the public endpoint / IP address which will not traverse your tunnel. Your tunnel by default is probably only advertising and routing traffic destined to that VNET's IP space.

To quickly test this, you could create a private endpoint for the Azure File share and add an entry to your local host file and test it.

Answer 2

Hi Andrew Kampen,

Good to hear AzCopy is indeed a powerful and straightforward tool for transferring data to Azure Blob Storage. Setting it up for unattended operation using a service account is a great idea to ensure your backups are automated and reliable.

To set up AzCopy for unattended use, you can create a service principal in Azure Active Directory and assign it the necessary permissions to access your Blob Storage. Then, you can use the service principal's credentials in your AzCopy script.

In the Azure portal, navigate to Azure Active Directory and create a new service principal (app registration). Note down the application client ID, directory tenant ID, and client secret.

Assign the service principal the necessary permissions to access your Blob Storage. You can do this by navigating to your storage account, selecting "(IAM)," and adding a role assignment for the service principal.

Update your AzCopy script to use the service principal's credentials. You can use the azcopy login command with the service principal's details to authenticate.

Create a scheduled task in Windows Task Scheduler to run your AzCopy script at the desired intervals. This will ensure your backups are transferred to Blob Storage automatically.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.