Cannot access Storage Account via Private Endpoint from on-premises (VWAN) using Azure Storage Explorer

Question

Cannot access Storage Account via Private Endpoint from on-premises (VWAN) using Azure Storage Explorer

SLIMANI Smail 60

Context

On-premises environment connected to Azure through a VWAN (Virtual WAN) using Site-to-Site VPN.

The VWAN has a Virtual Hub connected to multiple Spokes (VNets).

In one of the Spokes, there is a Private Endpoint associated with a Storage Account (Blob).

A Private DNS Zone privatelink.blob.core.windows.net is configured and linked to the Spoke.

➔ nslookup correctly resolves to the Private IP of the Private Endpoint.

Goal

Access the Storage Account from on-premises using Azure Storage Explorer via the Private Endpoint, authenticating with Account Key.

Issue

DNS resolution is correct (Private IP of the Private Endpoint).

TCP connectivity (port 443) is successful (validated with Test-NetConnection).

However, Azure Storage Explorer returns the following error:

This request is not authorized to perform this operation (403 AuthorizationFailure).

After checking Storage Account firewall logs, the source IP corresponds to a Private IP from the VWAN network.

It is not possible to add this IP to the allowed IP list in the Storage Account.

We need to ensure that Private Endpoint is being used for this connection, not the public endpoint.

Expected Behavior

Be able to connect to the Storage Account from on-premises through Private Link using Account Key with Azure Storage Explorer.

Diagram (Simplified Architecture)

User's image

Regards,

SLIMANI Smail 60 Reputation points

2025-09-03T07:03:34.1566667+00:00

Hello @Praveen Bandaru
The VNet of the Private Endpoint is correctly added to the list of allowed networks in the Storage Account.
It is not possible to add the VWAN because it is not a VNet, but a service that only declares an address space when created. The test with public access enabled works successfully.
This is not a permissions issue, as I am using an Account Key from an on-premises VM, not a user-based authentication.

When I enabled the Blob Diagnostic Settings, I could clearly see the 403 error in the logs, and the source IP address corresponds to a private IP from the VWAN address range.
For your information, I have other Spokes on different VNets, and in those cases, the test works correctly from VMs in the spok.

Regards
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-04T11:55:34.7133333+00:00

Hello SLIMANI Smail

I have initiated a private message. Please check and provide the required information for further investigation of the issue.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-05T06:54:27.72+00:00

Hello SLIMANI Smail

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-11T16:25:16.6333333+00:00

Hello SLIMANI Smail

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

1 answer

Your answer

SLIMANI Smail 60 Reputation points

2025-09-03T07:03:34.1566667+00:00

Hello @Praveen Bandaru
The VNet of the Private Endpoint is correctly added to the list of allowed networks in the Storage Account.
It is not possible to add the VWAN because it is not a VNet, but a service that only declares an address space when created. The test with public access enabled works successfully.
This is not a permissions issue, as I am using an Account Key from an on-premises VM, not a user-based authentication.

When I enabled the Blob Diagnostic Settings, I could clearly see the 403 error in the logs, and the source IP address corresponds to a private IP from the VWAN address range.
For your information, I have other Spokes on different VNets, and in those cases, the test works correctly from VMs in the spok.

Regards
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-04T11:55:34.7133333+00:00

Hello SLIMANI Smail

I have initiated a private message. Please check and provide the required information for further investigation of the issue.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-05T06:54:27.72+00:00

Hello SLIMANI Smail

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator

2025-09-11T16:25:16.6333333+00:00

Hello SLIMANI Smail

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Hello SLIMANI Smail

I understand you're experiencing an issue accessing your Azure Storage Account via a Private Endpoint from your on-premises environment. Even though DNS resolution and connectivity tests are successful, you're encountering a This request is not authorized to perform this operation (403 AuthorizationFailure) error.

If resolution and connectivity are working fine, the issue may be originating from the storage firewall. Please check the storage account network settings to ensure that the correct Vnet ranges and client IP have been whitelisted.

Please ensure that the spoke VNET, where the private endpoint is deployed, is included in the virtual network allow list.
After adding the VNET, if you are still experiencing the issue, please try changing the Storage Network settings to allow all networks (public access) and test it. Share the results with us.

Verify whether the user or service principal has the necessary permissions to access the Blob storage by running the following command:

az role assignment list --assignee <User-ID> --scope "/subscriptions/<SUB_ID>/resourceGroups/Venkat-RG/providers/Microsoft.Storage/storageAccounts/venkatstoragedemo" -o table

Check the below public documents:

https://stackoverflow.com/questions/79467955/azure-private-endpoints-403-authorization-issue

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Cannot access Storage Account via Private Endpoint from on-premises (VWAN) using Azure Storage Explorer

1 answer

Your answer