Storage Account firewall with VWAN/secure virtual hub

Shane Corgatelli 40 Reputation points
2024-10-03T23:40:50.9833333+00:00

We have an Azure Virtual WAN, secured virtual hubs, and P2S VPN. I also have an azure storage account with the firewall enabled to allow traffic from the virtual hub public IP. I'm trying to lock down access so the user has to be on VPN to access the storage account content. I would also like them to be able to access the contents from the Azure portal while on VPN rather than requiring storage explorer (with a private endpoint).

In theory I should be able to access the storage account when connected to the VPN. However, I get a message saying that "This storage account's 'Firewalls and virtual networks' settings may be blocking access to storage services. Try adding your client IP address". The error message shows the secured virtual hub public IP that is included in the storage account firewall allowed IP ranges. If I add my local public IP access works as expected while not on the VPN.

Both the storage account and the secured virtual hub are in the same region. Reviewing the storage account logs, the connection is shown as coming from the private client IP address rather than the virtual hub public address. I have a similar setup for Cosmos DB and it is working as expected while on VPN.

Is this a known problem and are there any recommended solutions?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
233 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,292 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sai Prasanna Sinde 2,680 Reputation points Microsoft Vendor
    2024-10-30T11:48:14.17+00:00

    Hi @Shane Corgatelli,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

     

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Both the storage account and the secured virtual hub are in the same region. Reviewing the storage account logs, the connection is shown as coming from the private client IP address rather than the virtual hub public address. I have a similar setup for Cosmos DB and it is working as expected while on VPN.

    Is this a known problem and are there any recommended solutions?

    Solution:

    I think you will need to go with private endpoint.

    When accessing Azure storage from another azure resource in the SAME region, the traffic is sent via private IPs like service endpoints. It’s mentioned here - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules

    Normally you would just add a VNET rule instead on the storage account firewall. As vWAN abstracts away the hub networks in another subscription, it’s not possible to do this.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Regards,

    Sai Prasanna.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.