admin管理员组文章数量:1122847
New to Azure here and going through some training. When I set up the training environment in Azure, I was connected through my corporate VPN (not Azure VPN) and set up a storage account. I'm not making use of an Azure Vnet in my current setup. I configured the storage account "Public network access" setting to "Enabled from selected virtual networks and IP addresses" and selected the option "Add your client IP address." Let's call that IP address 23.111.111.111 (not actual IP). I then set up a container (Private access level) and added some files. I then continued going through some basic training exercises, having no issues accessing data throughout.
I stepped away for a few hours and ended up losing network connectivity on my laptop. I rebooted the laptop and reconnected to my corporate VPN. At that point, I could no longer access the container in the storage account (i.e., attempting to open the container via the Azure portal Data Storage > Containers). Error: This request is not authorized to perform this operation. This storage account's 'Firewalls and virtual networks' settings may be blocking access to storage services.
I also attempt access through Azure Storage Explorer. Same issue.
I confirmed via several methods that I still had the same public IP address over the VPN (e.g., ). I also went back into the networking settings and removed, saved, readded, and saved my client IP address to the exception list. Still no change.
If I disconnect from the VPN and add the non-VPN public IP address to the exception list (let's call that IP address 174.222.222.222), I can access the container without issue.
If I change the network setting to "Enabled from all networks," I can connect to the container while connected to the corporate VPN.
However, no matter what I've tinkered with so far, I cannot for the life of me get the container access working again while connected to the VPN with "Enabled from selected virtual networks and IP addresses" configured.
Given that it was absolutely working previously and now refuses to allow access while on the VPN unless I select "Enabled from all networks," what am I missing? Is this something where I'm going to need to set up a vnet/private endpoint configuration? I was trying to keep this as simple as possible, and it's definitely not a deal breaker for the training I'm doing, but I'm finding it frustrating, and now I'm on a mission. ;)
My expectation is to be able to connect to the storage account over VPN without enabling access from all networks.
Thanks in advance!
New to Azure here and going through some training. When I set up the training environment in Azure, I was connected through my corporate VPN (not Azure VPN) and set up a storage account. I'm not making use of an Azure Vnet in my current setup. I configured the storage account "Public network access" setting to "Enabled from selected virtual networks and IP addresses" and selected the option "Add your client IP address." Let's call that IP address 23.111.111.111 (not actual IP). I then set up a container (Private access level) and added some files. I then continued going through some basic training exercises, having no issues accessing data throughout.
I stepped away for a few hours and ended up losing network connectivity on my laptop. I rebooted the laptop and reconnected to my corporate VPN. At that point, I could no longer access the container in the storage account (i.e., attempting to open the container via the Azure portal Data Storage > Containers). Error: This request is not authorized to perform this operation. This storage account's 'Firewalls and virtual networks' settings may be blocking access to storage services.
I also attempt access through Azure Storage Explorer. Same issue.
I confirmed via several methods that I still had the same public IP address over the VPN (e.g., https://ipinfo.io/ip). I also went back into the networking settings and removed, saved, readded, and saved my client IP address to the exception list. Still no change.
If I disconnect from the VPN and add the non-VPN public IP address to the exception list (let's call that IP address 174.222.222.222), I can access the container without issue.
If I change the network setting to "Enabled from all networks," I can connect to the container while connected to the corporate VPN.
However, no matter what I've tinkered with so far, I cannot for the life of me get the container access working again while connected to the VPN with "Enabled from selected virtual networks and IP addresses" configured.
Given that it was absolutely working previously and now refuses to allow access while on the VPN unless I select "Enabled from all networks," what am I missing? Is this something where I'm going to need to set up a vnet/private endpoint configuration? I was trying to keep this as simple as possible, and it's definitely not a deal breaker for the training I'm doing, but I'm finding it frustrating, and now I'm on a mission. ;)
My expectation is to be able to connect to the storage account over VPN without enabling access from all networks.
Thanks in advance!
Share Improve this question edited Dec 5, 2024 at 11:06 Venkat V 7,4612 gold badges4 silver badges15 bronze badges Recognized by Microsoft Azure Collective asked Dec 4, 2024 at 14:45 Zac TrueloveZac Truelove 457 bronze badges 8- You can check the range of your corporate VPN IP that is used for internet and add the same range to the storage firewall section. – Venkat V Commented Dec 4, 2024 at 17:18
- Disconnect the VPN and connect back and check the public IP of your corporate VPN and add the same IP. – Venkat V Commented Dec 5, 2024 at 11:38
- Yup, tried both of these and still no go. – Zac Truelove Commented Dec 5, 2024 at 13:54
- 1 You can check the storage accounts' logs,there it will display the public IP – Venkat V Commented Dec 5, 2024 at 13:56
- 1 For future reference, this is the query I ran... StorageBlobLogs | where AuthenticationType == "OAuth" or AuthenticationType == "SharedKey" | project TimeGenerated, AuthenticationType, AccountName, CallerIpAddress – Zac Truelove Commented Dec 5, 2024 at 15:25
1 Answer
Reset to default 1Azure Storage Account IP Address Exception Stopped Working over VPN
Posting our discussion as an answer for the community benefit.
The issue was caused by a change in the public IP address assigned to the corporate VPN connection after reconnecting. While you initially added your client IP address to the firewall exceptions, the IP assigned to you by the corporate VPN likely changed after reconnecting.
Corporate VPNs use dynamic IP addresses from a pool, so your actual public IP could change after reconnecting. If the public IP appears to be the same after reconnecting, you may want to check the storage logs to see which IP is being used for inbound traffic to the storage account
Here is the query to check the access logs for your storage account.
StorageBlobLogs
| where AuthenticationType == "OAuth" or AuthenticationType == "SharedKey"
| project TimeGenerated, AuthenticationType, AccountName, CallerIpAddress
This query will show you the caller IP address, which is the IP address from request originated. You will see the public IP addresses that were used in the request.
If the CallerIpAddress in the logs shows that the IP address assigned by the VPN is different from the one you initially added, add the IP address range that matches the one shown in the storage logs, or add the single IP address.
本文标签: Azure Storage Account IP Address Exception Stopped Working over VPNStack Overflow
版权声明:本文标题:Azure Storage Account IP Address Exception Stopped Working over VPN - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736477789a1944335.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论