Share via

Azure Files Authorization Mounting Question with Private Endpoint

Phil Bailey 21 Reputation points
2022-07-20T14:43:12.027+00:00

Hi

I am testing out Azure Files with Private Endpoint with AD DS Authorization. Everything seems to be working fine EXCEPT I can't figure our HOW this is using my private endpoint! I've followed all the instructions. I have name resolution working to the private endpoint and I can telnet to port 445 on it. I did a tracert and it goes across our Express Route connection...so I know I am good.

The very last step in the instructions has completely thrown me. Under the "Mount File share page" here: [storage-files-identity-ad-ds-mount-file-share][1]
There is a script that reads:

Always mount your share using.file.core.windows.net, even if you setup a private endpoint for your share.

$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded)
{

WHY would I mount the file share using the NON private DNS name? It doesn't make any sense. I nslookup that name and obviously it's going to the Public IP so my traffic will go that way, which I don't want.

So, i thought that must be wrong in the instructions, I will mount using the privatelink address.. NOPE doesn't work. only <storageaccount>.file.core.windows.net works (as it says in the instructions!)

Can someone please explain this to me as I cannot see how Azure files is using my Private Endpoint at all!

Thanks

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,420 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,530 questions
Accepted answer
  1. Tom Luxton 81 Reputation points
    2023-06-02T11:58:01.46+00:00

    Initially I claimed that Azure private endpoints use CNAMES on the public DNS and that CNAMES are not supported, referring the following document:
    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#supported-scenarios-and-restrictions

    However, I realised the documentation was referring to publicDNS (which was working), but CNAMES in Azure are supported. This contradiction was raised around 12/06/2023 and resulted in the first documentation being updated:

    https://github.com/MicrosoftDocs/azure-docs/issues/110635

    The only outstanding reference now to explain why this doesn't work with private DNS is this article:

    Always mount Azure file shares using file.core.windows.net, even if you set up a private endpoint for your share. Using CNAME for file share mount isn't supported for identity-based authentication.
    https://github.com/MicrosoftDocs/azure-docs/blob/main/includes/storage-files-aad-permissions-and-mounting.md

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Phil Bailey 21 Reputation points
    2022-07-20T18:00:04.827+00:00

    On further investigation this seems to be working when my Internal AD DNS servers are handling the name resolution. However when my internal OpenDNS are handling the resolution its failing and going to Public Azure. Even though my OpenDNS Servers are set to forward the privatelink.file.core.windows.net back to my local resolvers for resolution. I have opened up a case with OpenDNS

  2. Phil Bailey 21 Reputation points
    2022-07-27T20:06:27.877+00:00

    So everything works great if i only use Windows DNS. If I use my Umbrella VA which is supposed to forward queries back to my Windows DNS servers it doesn't work. It's almost like it doesn't like the double hop

  3. Phil Bailey 21 Reputation points
    2023-06-02T12:42:16.46+00:00

    Yes thank you. I finally figured that out and everything is working great. I'm using the new Private Resolver and it is working great!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.