Mar 31 2020 08:17 AM
Mar 31 2020 08:17 AM
I have provided access to my ADLS Gen2 through ACL.
My users have at least the ACL r-x on the filesystem and on the subsfolders or files when need access to.
From Home Office (through VPN) and using the client (MASE) "Microsoft Azure Storage Explorer"
Apr 06 2020 05:41 AM
Apr 15 2020 01:23 AM
@Jamesdld I checked on this and while it appears that Storage Explorer through the Azure portal works as expected with private endpoints, the client tool didn't. I suspect that Azure Storage Explorer uses legacy Blob APIs to enumerate / list contents of storage accounts. I was able to get Storage Explorer client working (from a machine within the VNET) by creating a private endpoint and private DNS zone for Blob access.
Apr 15 2020 02:16 AM
I confirm that connecting to blob Storage Accounts works fine.
My issue is connecting to a Storage Account that is enabled for ADLS Gen 2, the target Subresources are blob and dfs.
Can you confirm the issue? It occurs with Private Endpoints when you try to connect with a user that has ACL read and execute ACL.
Apr 15 2020 02:51 AM - edited Apr 15 2020 02:51 AM
@Jamesdld It may be useful to test by connecting with an account with storage account owner permissions
Apr 15 2020 09:12 AM
@Jamesdld Did you validate whether access through the Azure Portal Storage Explorer works in either case? (browsing from a machine on the same VNET as the private endpoint). Also notice that your errors on Test 1 and Test 2 are different - check the last part of this article (although it is written for Databricks/Spark) as well around reviewing ADLS ACLs : https://deep.data.blog/category/azure-data-lake-storage-gen-2/
Apr 15 2020 09:38 AM
Hi back and thank you for checking everything but concerning the ACL I am sure it works, as revealed in the following screenshot the connection with same user with the upper mentioned privileges works when connecting through Internet.
I can test from a VM which is the same vnet than my private endpoint, I will do that tomorrow.
Apr 16 2020 08:38 AM
I just did the test from a VM located in the same vnet than my private endpoints, the result is exactly the same.
Apr 16 2020 09:45 AM
@Jamesdld Did you try it from Storage Explorer WITHIN the account blade of the Azure portal to rule out issues with the Azure Storage Explorer tool? If this still is problematic try raising a call through support @https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/
Apr 17 2020 01:07 AM
Having an issue from the portal too with private endpoint, I did raise the support ticket number 120041722000372.
Apr 17 2020 01:31 AM
Just for info, I did overwrite the main dns record, not only the one recommended with ".private." and it worked for both users: the one that is owner and the one that has ACL privileges. This is definitely not a good an option but the result is interesting, I will share that with the support team.
Apr 18 2020 01:12 AM - edited Apr 18 2020 01:15 AM
I just ended a call with Garrett Curtin from Microsoft Storage support team (ticket id 120041722000372) and unfortunately "Storage Explorer" doesn’t support using privatelink dns zones as recommended here. The workaround is to overwrite the public dns record like "mysa.blob.core.windows.net" and not the privatelink one like: "mysa.privatelink.blob.core.windows.net"
A feature request was made here to make Storage Explorer support this.
Apr 18 2020 04:54 AM - edited Apr 18 2020 05:05 AM
I am still investigating here for info, my privatelink dns zone is hosted on On-Premises dns servers because my client are in my On-Premises network, I will dig this area, maybe its a ttl misconfiguration or something like that...
Apr 18 2020 05:12 AM - edited Apr 18 2020 08:22 AM
Using a DNS forwarder VM could be a solution but I would have preferred a solution with my current infra services. url: https://github.com/Azure/azure-quickstart-templates/tree/master/301-dns-forwarder/
There is here an interesting feature request : "Simplify Private Endpoint DNS resolution from on-premises". url: https://feedback.azure.com/forums/34192--general-feedback/suggestions/39697135-simplify-private-endp...
Apr 20 2020 06:31 AMSolution
I just understood and solved my issue, was all about DNS resolution, adding below some explanation.
End users need to connect to PaaS services from home through VPN or from On-Premises private networks through their Private Endpoints IPs.
Overview of the solution:
Forward DNS request to a DNS VM proxy located on Azure.
The DNS VM proxy is in a vnet that has a link with your Azure private DNS zones hosting the "privatelink" recommended DNS zones.
Detail of the solution:
A feature request has been published here to simplify Private Endpoint DNS resolution from On-Premises.