Forum Discussion

slache's avatar
slache
Copper Contributor
Mar 17, 2024

Access storage account (SMB file share) via private endpoint in a Hub-Spoke setup

Hello community,

 I am struggeling with this issue since days now.

 

I need to access a SMB share (=private endpoint in spoke Vnet) from a VM (Zscaler App Connector)

in the Hub Vnet.

 

The traffic flow is going throgh the Azure firewall (UDRs in place) and i can see the traffic 

10.2.1.100 > 10.3.15.8:445 as allowed.

The connection from On Prem 10.1.1.00 > 10.3.15.8:445 is working fine.

Only from the Server Subnet in the Hub Vnet i can not access the SMB share.

telnet 10.3.15.8 445 from 10.2.1.100 is not successful

Interestingly a tcp dump on 10.2.1.100 shows that i get RESET packets after a couple of SYNs from 10.13.15.8

 

Any ideas are highly appreciated.

 

Thanks

Stephan

 

 

11 Replies

Sort By
  • dennisbpraise's avatar
    dennisbpraise
    MCT
    Apr 14, 2024
    hello, thanks for reaching out and sharing your setup...

    I'm trying to reproduce it. However, can you share your vnet peering configuration?
      • dennisbpraise's avatar
        dennisbpraise
        MCT
        Apr 14, 2024
        I successfully configured my environment using the same setup—all on Azure, no physical on-premises infrastructure.

        I would recommend you check your peering configuration, and you will also need to manually add the hub vnet to the private DNS zone (virtual network link)
    • slache's avatar
      slache
      Copper Contributor
      Mar 18, 2024

      Kidd_Ip 

       

      Hi Kidd_lp,

      yes, I am using Azure Files.
      I have set it up like described in the guides and DNS is working properly.
      I am getting back the private IP address:

      The most irritating thing is, that it´s working from OnPrem perfectly but not from 

      the Hub Vnet.

       

      From my point of view:

      DNS is ok

      Routing is ok

      Firewalling is ok

       

      Is there anything more i forgot?

       

      Thanks

      Stephan

       

       

  • Dhanumjay_Akula's avatar
    Dhanumjay_Akula
    Copper Contributor
    Mar 17, 2024

    slache 

    Please check the connectivity with IP Flow Verify in Network Watcher or please go through the given link

     https://learn.microsoft.com/en-us/azure/private-link/troubleshoot-private-endpoint-connectivity  

    • slache's avatar
      slache
      Copper Contributor
      Mar 17, 2024

      Dhanumjay_Akula 

      Thanks for your reply.

      The IP flow only seems to be relevant for NSGs

      I don´t use NSGs in this case.

       

      A Connection troubleshoot tells this:

      I have really no idea why port tcp/445 ist not reachable from a VM in the Hub Vnet, when it´s allowed on the Azure firewall.

      I can see that clearly in the firewall logs.

       

       

      • Dhanumjay_Akula's avatar
        Dhanumjay_Akula
        Copper Contributor
        Mar 18, 2024

        slache 

        Please check at VM--> Nic--> Effective Routes

         

         

        Let me know did you find the above in your Effective Routes.

Resources