Unable to mount file share, even after connecting with VPN

needHelp 0 Reputation points
2024-11-04T13:34:03.01+00:00

I have a fileshare-only storage account that has been disabled from public networks, and only selected VNET and their subnets can mount the fileshare on their system. I already knew fileshare works on SMB protocol and cannot be accessed directly so we have to use a P2S VPN in order to mount the fileshare as a network drive.

User's image

I have successfully configured the P2S VPN on my local system and validated the same.

Problem: Even after connecting with the P2S VPN, I still have to whitelist my public IP in the firewall section every time, as I have a dynamic IP address. Whitelisting every time is not helping me solve the problem.

Hence whitelisting the public IP address does solve the problem temporarily.

How to permanently solve this?

I tried whitelisting the entire CIDR range of the gateway but that did not help.

Since I have a dynamic public IP address, whitelisting every time is not feasible.

There are options mainly that I have read are forced tunneling, Filesync, and Storage Explorer but that isn't what I am expecting to use.

And since the below connect pane itself displays that after connecting with the P2S VPN we would be able to mount the fileshare, but I have to additionally whitelist my IP.
User's image

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,312 questions
Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
267 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,246 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vinod Kumar Reddy Chilupuri 1,210 Reputation points Microsoft Vendor
    2024-11-04T17:08:19.94+00:00

    Hi needHelp

    Welcome to Microsoft Q&A, thanks for posting your query.

    The issue of needing to whitelist your dynamic public IP address each time to address this issue here are the following steps to follow.

    Verify that your P2S VPN is configured correctly. When connected, your traffic should be routed through the Azure network, allowing access to resource without need to whitelist your public IP.

    • Verify the VPN gateway is configured correctly and that the P2S VPN client is set up to use the correct Azure Virtual Network Gateway.
    • Make sure that the route table configured with your virtual network includes routes to your file share.

    Adjust Network Rules to Eliminate Public IP Whitelisting.

    The storage account is confined to specific VNETs and subnets, connecting via the P2S VPN should be sufficient without additional public IP whitelisting. But the situation you are experiencing suggests that traffic might be routed via your public IP instead of the VPN. This could happen if your local machine doesn't default traffic to the VPN for the storage account connection.

     

    Force Tunneling with P2S VPN.

    Make sure all traffic to your fileshare goes through the VPN instead of your local internet connection, you can set up forced tunneling on your P2S VPN. Means all the network traffic, including the SMB traffic to Azure Files, will travel through the VPN. With this access to the fileshare will use the private IP address of the VPN gateway rather than your local machine's public IP.

    • Set Up Forced Tunneling: Configure forced tunneling on your VPN gateway in Azure to ensure that any traffic meant for Azure services (like your fileshare) goes through the VPN.
    • Check Your Local Routing: Make sure your local routing table directs traffic through the VPN. After you set up forced tunneling, test your connection to ensure everything is working correctly.

    Set Up a Private Endpoint for the Storage Account.

    Another solution is to establish a private endpoint for the storage account within the selected VNET. A private endpoint gives you a private Ip address in the VNET that you can access through the P2S VPN without using the public internet.

    This means the fileshare will only be reachable through private IPs, which improves security and eliminates the need to whitelist public IPs. This may involve some reconfiguration but provide a permeant solution.

    Check Routing and VPN Configuration on your Local Machine.

    Make sure that your local machine is set up to send SMB traffic (Port 445) for the storage account through the VPN. Some VPN configurations allow split tunneling, that allows specific traffic to the VPN. Check your routing tables to ensure that traffic to Azure Files is going through the VPN, so it doesn't use the public internet. 

    Forced Tunneling is a common solution to route all traffic through the VPN, avoiding the need for public IP whitelisting. Private Endpoint provides a robust alternative, allowing private IP-based access to the storage account from the VPN. Verify Local Routing to ensure proper traffic routing through the VPN.

    Go through the below documentations for more information.

    Networking considerations for Azure Files | Microsoft Learn

    About forced tunneling for site-to-site - Azure VPN Gateway | Microsoft Learn

    Configure P2S server configuration - certificate authentication: Azure portal - Azure VPN Gateway | Microsoft Learn

     

    Please let us know if you have any further queries. I’m happy to assist you further. 


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.