Hi needHelp,
Welcome to Microsoft Q&A, thanks for posting your query.
The issue of needing to whitelist your dynamic public IP address each time to address this issue here are the following steps to follow.
Verify that your P2S VPN is configured correctly. When connected, your traffic should be routed through the Azure network, allowing access to resource without need to whitelist your public IP.
- Verify the VPN gateway is configured correctly and that the P2S VPN client is set up to use the correct Azure Virtual Network Gateway.
- Make sure that the route table configured with your virtual network includes routes to your file share.
Adjust Network Rules to Eliminate Public IP Whitelisting.
The storage account is confined to specific VNETs and subnets, connecting via the P2S VPN should be sufficient without additional public IP whitelisting. But the situation you are experiencing suggests that traffic might be routed via your public IP instead of the VPN. This could happen if your local machine doesn't default traffic to the VPN for the storage account connection.
Force Tunneling with P2S VPN.
Make sure all traffic to your fileshare goes through the VPN instead of your local internet connection, you can set up forced tunneling on your P2S VPN. Means all the network traffic, including the SMB traffic to Azure Files, will travel through the VPN. With this access to the fileshare will use the private IP address of the VPN gateway rather than your local machine's public IP.
- Set Up Forced Tunneling: Configure forced tunneling on your VPN gateway in Azure to ensure that any traffic meant for Azure services (like your fileshare) goes through the VPN.
- Check Your Local Routing: Make sure your local routing table directs traffic through the VPN. After you set up forced tunneling, test your connection to ensure everything is working correctly.
Set Up a Private Endpoint for the Storage Account.
Another solution is to establish a private endpoint for the storage account within the selected VNET. A private endpoint gives you a private Ip address in the VNET that you can access through the P2S VPN without using the public internet.
This means the fileshare will only be reachable through private IPs, which improves security and eliminates the need to whitelist public IPs. This may involve some reconfiguration but provide a permeant solution.
Check Routing and VPN Configuration on your Local Machine.
Make sure that your local machine is set up to send SMB traffic (Port 445) for the storage account through the VPN. Some VPN configurations allow split tunneling, that allows specific traffic to the VPN. Check your routing tables to ensure that traffic to Azure Files is going through the VPN, so it doesn't use the public internet.
Forced Tunneling is a common solution to route all traffic through the VPN, avoiding the need for public IP whitelisting. Private Endpoint provides a robust alternative, allowing private IP-based access to the storage account from the VPN. Verify Local Routing to ensure proper traffic routing through the VPN.
Go through the below documentations for more information.
Networking considerations for Azure Files | Microsoft Learn
About forced tunneling for site-to-site - Azure VPN Gateway | Microsoft Learn
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.