can't access NFS file share (that has a private endpoint) in azure portal or az command.

Question

Hello

I have a file share with a private endpoint.

It has public access.

from within the subnet I am able to connect to the nfs.

When I try to access it using storage browser i get the following:

networking is enabled from all:

there is a private endpoint

telnet is working from within the vnet:

using azure cli i get the error i can't reach it:

az storage file list --account-name

Answer 1

As per https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview

NFS file shares are accessible from the storage account's public endpoint if and only if the storage account's public endpoint is restricted to specific virtual networks using service endpoints.

You'd need to use service endpoints (instead of private endpoints) and limit access to designated virtual networks/subnets

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hello Uri Zafrir,

Welcome to Microsoft Q&A, thanks for posting your query.

Adding to the above answer when public network Access is enabled, it allows access to the storage account from any network, including the public internet and creates a private connection between your virtual network and the Azure Files service, allowing secure access without exposing the file share to the public internet.

I understand that You've enabled Public Network Access, which allows access from anywhere and also created a Private Endpoint, which is designed for secure, private access. This creates a conflict. While you can access the file share from within your virtual network (due to the private endpoint), external access might be blocked or inconsistent due to the conflicting access control settings.

1. Go to your storage account.
2. Navigate to Settings -> Configuration.
3. Under Blob service or File service, set "Allow blob public access" or "Allow file public access" to Disabled.
4. After disabling public access, ensure that you can still access the file share from within your virtual network.

Disabling public access is crucial for enhancing the security of your Azure Files share. Thoroughly test your file share access after disabling public network access to ensure that all expected functionalities work as intended. By disabling public network access, you'll align your storage account's access control with the security benefits provided by the Private Endpoint.

If you're still encountering issues after these steps, please provide more details about:

How are you trying to access the file share from outside the virtual network (e.g., directly from the internet, from another Azure resource)?

Any specific error messages you are encountering?

Please let us know if you have any further queries. I’m happy to assist you further.

If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.

Answer 3

Hi Martin,

I've done exactly what you've said,

I've destroyed my private endpoint,

Created a service endpoint,

and also added my ip to the allowed list

and I still get the same error.

how can that be?

this is the azure cli:

az storage file list --account-name <account-name> --share-name <share-name>--debug