If we enable the private endpoints for storage account, can't we able to access storage account by using VNETs

Kumar, Addala (623) 0

I have a storage account (stgA) with its networking set to "Enabled from selected virtual networks and IP addresses." I've successfully added VNETA to access stgA, and I can access the storage from the VNET. However, after creating a private endpoint for this storage account, I'm no longer able to access it from the VNET. Is there any method to access the storage account other than using private endpoints when the private endpoint is enabled?

msrini-MSFT 9,286 Reputation points Microsoft Employee

2023-12-23T20:21:02.91+00:00

Hi,

When you create a private endpoint for a Storage, you can still configure the Firewall rules and the Service endpoints (Enabled from selected virtual networks and IP addresses.). The reason why you are not able to access the SA could be due to the DNS zone that gets created when PE is created.

Can you try to check when you resolve the FQDN of your storage, are you getting a private IP or public IP?

If you are getting a private IP, then you need to establish the connectivity to the PE from the source to get the access to Storage. Or, you will need to remove the DNS entry from the DNS Zone which is linked to the source VNET and try again.

Regards,

Karthik Srinivas
Kumar, Addala (623) 0 Reputation points

2023-12-26T12:36:17.18+00:00

Hi Karthik thanks for your response.

I'm getting private link details while calling the FQDN.
msrini-MSFT 9,286 Reputation points Microsoft Employee

2023-12-26T13:47:54.8733333+00:00

Ok. When you have a private endpoint created, you will have private dns zone created. Can you navigate to the private dns zone which is linked to your vnet and check if you have the A record for your FQDN? It will be missing. That's why you are getting nxdomain. Can you try to unlink the dns zone from your source vnet and try again ?
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2023-12-29T04:52:19.7333333+00:00

@Kumar, Addala (623)

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-04T12:03:16.35+00:00

@Kumar, Addala (623)

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-05T11:41:52.4633333+00:00

@Kumar, Addala (623)

We noticed your recent experience on the Q&A community platform for this thread was rated as Not Helpful.

However, the survey we are taking is testimony of our team providing timely attention to reported issue and partnering with customer to ensure their voice reaches the engineering team to improve the product.

If you feel our team members or the community have been providing right level of support and your scenario has got timely response, we would like to request you to reconsider the feedback.

This is possible only if you could share what is the outcome of the action plan suggested.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Looking forward to your reply.
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-08T07:13:28.9+00:00

@Kumar, Addala (623)

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Kumar, Addala (623) 0 Reputation points

2024-01-09T18:04:18.1+00:00
Hi @KapilAnanth-MSFT ,

Do you have a "privatelink.dfs.core.windows.net" already linked to this VNET?

How to check this one
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-10T11:13:14.0233333+00:00
@Kumar, Addala (623)

The DNS resolution using "8.8.8.8" successfully gives you the Public IP of your storage account.

This means, you have misconfigured your local DNS

Your "local DNS" here being 168.63.129.16

We cannot check if a VNET is linked to a Private DNS Zone from VNET's properties.

Instead, you have to check if the Private DNS Zone is linked to a VNET by inspecting the Private DNS Zone's properties.

Navigate to Private DNS Zones from your Azure Portal.

Make sure you are in the subscription of the Private EndPoint.

Check if you have a Private DNS Zone named "privatelink.dfs.core.windows.net"

If you do, go into it and open the "Virtual network links" from the left blade.

And remove the Connection to the VNET.
Kumar, Addala (623) 0 Reputation points

2024-01-10T18:06:47.31+00:00

Yeah, I removed it worked now.
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-11T04:05:49.86+00:00

@Kumar, Addala (623)
I am glad the issue has been resolved. I have summarized my comments and posted it as a new answer. I would highly appreciate if you could Accept the answer and close this thread Original posters help the community find answers faster by identifying the correct answer. Thanks, Kapil
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-11T09:56:42.39+00:00

@Kumar, Addala (623)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks, Kapil
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-12T17:04:09.59+00:00

@Kumar, Addala (623) ,

Reaching out to check if there are any questions on this. Please let us know if we can be of any further assistance here.

Thanks, Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-01-16T14:24:54.31+00:00

@Kumar, Addala (623)

We noticed your recent experience on the Q&A community platform for this thread was rated not helpful.

However, the survey we are taking is testimony of our team providing timely attention to reported issue and partnering with customer to ensure their voice reaches the engineering team to improve the product.

If you feel our team members or the community have been providing right level of support and your scenario has got timely response, we would like to request you to accept this answer and close this thread.

In case, you felt otherwise based on your support experience, please let me know and I will work with my team to further improve it.

Your encouragement and involvement help us improve our customer experience and our Azure services.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Cheers, Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2023-12-27T16:36:40.6233333+00:00
@Kumar, Addala (623)

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are unable to connect to storage account after enabling Private EndPoint.

Please note :

Creating a Private EndPoint will not block Public access by default.

It will only create a NIC in the target VM so that you can access it Privately in addition to being able to access Publicly.

With the above said, I asked

From your screenshot, is your DNS Server 168.63.129.16

Can you share the results of nslookup <YOURRESOURCE>.dfs.core.windows.net 8.8.8.8

This was working fine - we were able to get the Public IP resolved.

Do you have a "privatelink.dfs.core.windows.net" already linked to this VNET?

You confirmed yes

So I suggested we remove the "privatelink.dfs.core.windows.net" link to this VNET.

You informed this resolved the issue.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Shriram 0 Reputation points

2024-10-15T17:37:08.67+00:00

Hey, so I am facing a similar issue and deleting the DNS link worked. But I am using the same vnet to access other storage accounts which have public access disabled and the way I access them is through a private endpoint. is there anyway I can ensure access in both scenarios?

KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-10-16T03:47:35.11+00:00

Shriram ,

The recommendation is to use Private EndPoint whenever a private DNS Zone is involved.

Solution 2 from this doc

Additionally,

If the VNET uses Azure Wireserver IP and is linked to a Private DNS Zone - the Private DNS Zone will always take precedence.

To override this, you can update the NIC of the VMs to use a different DNS Server (either on Internet or your custom DNS Server VM running in Azure) which can resolve to the Public IP of other services See : Add or change DNS servers

Or Solution 1 from the doc where we leverage public DNS

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

If we enable the private endpoints for storage account, can't we able to access storage account by using VNETs

1 answer

Your answer