Forum Discussion
Storage not reachable from network using service endpoint.
Hello, Here is the situation. The storage (File share )had assigned networks to allow access. We refresh some changes in the NSG from the network using bicep code ( Outbound was permitted all- no ...
Hi Adrian.
Sounds like one of those lovely Azure quirks. On paper nothing you did should have killed access, but when you “rename” an NSG rule in Bicep it’s actually a delete and recreate. That can cause the subnet-to-storage firewall validation to fall out of sync for a while, which is why 445 suddenly looked closed.
By removing and re-adding the network rule on the storage account you basically gave it a kick, forcing Azure to re-evaluate the association. That’s why it came back.
I’ve seen this a couple of times. My takeaway is:
- Don’t rename NSG rules if you can avoid it. Treat the name as immutable and stick to description for readability.
- Check effective rules with az network nic show-effective-nsg if you want to be sure 445 is actually allowed.
- Use az storage account network-rule list to confirm the subnet is still properly registered.
Root cause is fuzzy, but the pattern is consistent: rename equals recreate, recreate equals temporary mismatch, mismatch equals firewall says no.