Forum Discussion
File Share with private endpoint
I am trying to mount a file share, using a private endpoint, on my local machine and am getting"Access Denied" errors. I am also unable to access it via the Portal when I have the firewall set to block public access.
All of the infrastructure is in Azure, there is no on-prem. Here is a summary of the architecture
Single VNet with only the default and VNet gateway subnets.
Single storage account with 1 file share in the default subnet which has a private endpoint set up.
VNet gateway which is configured for P2S connections.
VPN is installed on my local machine and I am able to connect to the VNet.
If I allow public access to the storage account, I can mount the file share just fine. If I block public access, I cannot mount it and am getting the error about port 445. I thought if I was using a VPN connection that I did not need to worry about the port 445 issue. However, it also seems odd that I cannot even browse the file share within the portal.
Any help on this is appreciated.
3 Replies
- Hey AB_MN,
Building on infocloud 's response:
In addition to the steps provided by infocloud, another possible reason for the issue could be related to the Azure Storage firewall settings. Since the file share is accessed through a private endpoint, the firewall rules need to be updated to allow traffic from the VNet of the private endpoint.
To check if this is the case, you can go to the Azure Storage account settings and navigate to the "Firewalls and virtual networks" section. From there, ensure that the selected option is "Selected networks", and that the VNet of the private endpoint is added to the allowed networks list. Also, make sure that the "Allow trusted Microsoft services to access this storage account" option is enabled.
By following these steps, you should be able to mount the file share with a private endpoint on your local machine without any "Access Denied" errors.
Cheers,
Luke - If you are getting "Access Denied" errors when trying to mount a file share with a private endpoint on your local machine, it's likely that the private endpoint is not properly configured to allow access from your local machine's IP address.
Here are some steps you can take to troubleshoot the issue:
Verify that the private endpoint is configured correctly: Check that the private endpoint is properly configured to allow access to the storage account and file share from your VNet and the IP address of your local machine. You can do this by reviewing the private endpoint settings in the Azure portal, specifically the "Allowed DNS names" and "Private DNS zone configuration" settings. Also, verify that you have added the IP address of your local machine to the list of allowed IP addresses on the private endpoint.
Verify that the VPN connection is established: Ensure that your VPN connection to the VNet is properly established and that you are able to access resources within the VNet, such as virtual machines and other services.
Check the firewall settings on your local machine: Ensure that the firewall on your local machine is not blocking traffic to the private endpoint. Specifically, make sure that port 445 is not blocked, as this is the port used for SMB file sharing.
Verify that the private endpoint is resolving correctly: Ensure that the private endpoint is resolving correctly from your local machine. You can do this by pinging the private endpoint's DNS name from your local machine and verifying that the IP address returned is the same as the private IP address assigned to the private endpoint.
Check the private endpoint logs: Check the private endpoint logs in the Azure portal to see if there are any errors or issues related to the private endpoint configuration or connectivity.
