%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237304i67183885E65568CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%0A%3CLI%3E%3CSPAN%3E%20Once%20the%20new%20firewall%20rules%20are%20propagated%2C%20we%20can%20go%20back%20to%20our%20VM%20and%20try%20to%20download%20the%20blob%20again%20and%20it%20runs%20successfully.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20477px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237305i35FDE120B25C46B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%203%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20trying%20to%20add%20a%20VNet%20and%20its%20subnets%20to%20storage%20accounts%20firewall.%20However%2C%20you%20are%20getting%20NetworkSourceDeleted%20error.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20246px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237306iBF15EE4E043B7E8C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20in%20this%20case%20is%20very%20self-explanatory.%20The%20subnet%20%E2%80%98subnet1%E2%80%99%20under%20testvnet1%20is%20required%20to%20be%20removed%20from%20storage%20accounts%20named%20in%20the%20error%20message.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20understand%20why%20this%20error%20occurs.%20We%20have%20a%20Virtual%20Network%20setup%20as%20below%20and%20all%20these%20subnets%20are%20added%20to%20a%20storage%20accounts%20firewall%3A%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20if%20you%20delete%20a%20subnet%20from%20the%20virtual%20network%2C%20that%20subnet%20gets%20marked%20as%20NetworkSourceDeleted%20in%20the%20storage%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-deleted%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20create%20another%20subnet%20having%20the%20same%20name%20as%20the%20one%20which%20was%20deleted%20earlier.%20The%20previously%20deleted%20subnet1%20is%20still%20marked%20as%20%E2%80%98NetworkSourceDeleted%E2%80%99%20under%20Storage1%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-new%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20try%20to%20add%20the%20new%20%E2%80%98subnet1%E2%80%99%20to%20any%20other%20storage%20accounts%20firewall%2C%20we%20get%20%E2%80%98NetworkSourceDeleted%E2%80%99%20error.%20To%20resolve%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWe%20go%20to%20Firewalls%20and%20virtual%20networks%20under%20storage%20accounts%20mentioned%20in%20the%20error%20and%20remove%20subnet1%20from%20the%20Virtual%20networks%20allowed.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20Then%20if%20we%20try%20to%20add%20the%20subnet1%20in%20any%20other%20storage%20account%2C%20it%20will%20not%20throw%20the%20error%20and%20complete%20the%20operation%20successfully.%20%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237307iADAA4D7805A27464%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20245px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237308i9102250159F3A934%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237304i67183885E65568CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%0A%3CLI%3E%3CSPAN%3E%20Once%20the%20new%20firewall%20rules%20are%20propagated%2C%20we%20can%20go%20back%20to%20our%20VM%20and%20try%20to%20download%20the%20blob%20again%20and%20it%20runs%20successfully.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20477px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237305i35FDE120B25C46B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%203%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20trying%20to%20add%20a%20VNet%20and%20its%20subnets%20to%20storage%20accounts%20firewall.%20However%2C%20you%20are%20getting%20NetworkSourceDeleted%20error.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20246px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237306iBF15EE4E043B7E8C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20in%20this%20case%20is%20very%20self-explanatory.%20The%20subnet%20%E2%80%98subnet1%E2%80%99%20under%20testvnet1%20is%20required%20to%20be%20removed%20from%20storage%20accounts%20named%20in%20the%20error%20message.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20understand%20why%20this%20error%20occurs.%20We%20have%20a%20Virtual%20Network%20setup%20as%20below%20and%20all%20these%20subnets%20are%20added%20to%20a%20storage%20accounts%20firewall%3A%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20if%20you%20delete%20a%20subnet%20from%20the%20virtual%20network%2C%20that%20subnet%20gets%20marked%20as%20NetworkSourceDeleted%20in%20the%20storage%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-deleted%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20create%20another%20subnet%20having%20the%20same%20name%20as%20the%20one%20which%20was%20deleted%20earlier.%20The%20previously%20deleted%20subnet1%20is%20still%20marked%20as%20%E2%80%98NetworkSourceDeleted%E2%80%99%20under%20Storage1%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-new%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20try%20to%20add%20the%20new%20%E2%80%98subnet1%E2%80%99%20to%20any%20other%20storage%20accounts%20firewall%2C%20we%20get%20%E2%80%98NetworkSourceDeleted%E2%80%99%20error.%20To%20resolve%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWe%20go%20to%20Firewalls%20and%20virtual%20networks%20under%20storage%20accounts%20mentioned%20in%20the%20error%20and%20remove%20subnet1%20from%20the%20Virtual%20networks%20allowed.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20Then%20if%20we%20try%20to%20add%20the%20subnet1%20in%20any%20other%20storage%20account%2C%20it%20will%20not%20throw%20the%20error%20and%20complete%20the%20operation%20successfully.%20%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237307iADAA4D7805A27464%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20245px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237308i9102250159F3A934%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237304i67183885E65568CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%0A%3CLI%3E%3CSPAN%3E%20Once%20the%20new%20firewall%20rules%20are%20propagated%2C%20we%20can%20go%20back%20to%20our%20VM%20and%20try%20to%20download%20the%20blob%20again%20and%20it%20runs%20successfully.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20477px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237305i35FDE120B25C46B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%203%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20trying%20to%20add%20a%20VNet%20and%20its%20subnets%20to%20storage%20accounts%20firewall.%20However%2C%20you%20are%20getting%20NetworkSourceDeleted%20error.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20246px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237306iBF15EE4E043B7E8C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20in%20this%20case%20is%20very%20self-explanatory.%20The%20subnet%20%E2%80%98subnet1%E2%80%99%20under%20testvnet1%20is%20required%20to%20be%20removed%20from%20storage%20accounts%20named%20in%20the%20error%20message.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20understand%20why%20this%20error%20occurs.%20We%20have%20a%20Virtual%20Network%20setup%20as%20below%20and%20all%20these%20subnets%20are%20added%20to%20a%20storage%20accounts%20firewall%3A%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20if%20you%20delete%20a%20subnet%20from%20the%20virtual%20network%2C%20that%20subnet%20gets%20marked%20as%20NetworkSourceDeleted%20in%20the%20storage%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-deleted%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20create%20another%20subnet%20having%20the%20same%20name%20as%20the%20one%20which%20was%20deleted%20earlier.%20The%20previously%20deleted%20subnet1%20is%20still%20marked%20as%20%E2%80%98NetworkSourceDeleted%E2%80%99%20under%20Storage1%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-new%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20try%20to%20add%20the%20new%20%E2%80%98subnet1%E2%80%99%20to%20any%20other%20storage%20accounts%20firewall%2C%20we%20get%20%E2%80%98NetworkSourceDeleted%E2%80%99%20error.%20To%20resolve%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWe%20go%20to%20Firewalls%20and%20virtual%20networks%20under%20storage%20accounts%20mentioned%20in%20the%20error%20and%20remove%20subnet1%20from%20the%20Virtual%20networks%20allowed.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20Then%20if%20we%20try%20to%20add%20the%20subnet1%20in%20any%20other%20storage%20account%2C%20it%20will%20not%20throw%20the%20error%20and%20complete%20the%20operation%20successfully.%20%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237307iADAA4D7805A27464%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20245px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237308i9102250159F3A934%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1944730%22%20slang%3D%22en-US%22%3ETroubleshooting%20Storage%20Firewall%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1944730%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20blog%20we%20will%20look%20at%20some%20common%20issues%20that%20we%20face%20using%20storage%20accounts%20with%20Firewalls%20and%20Virtual%20Networks%20enabled.%20We%20have%20enabled%20storage%20diagnostics%20logs%20on%20the%20storage%20account%2C%20and%20we%20will%20use%20the%20same%20to%20troubleshoot%20some%20of%20the%20issues.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20have%20enabled%20Firewalls%20and%20Virtual%20networks%20on%20your%20storage%20account%20and%20allowed%20access%20to%20the%20storage%20account%20only%20from%20specific%20Virtual%20Network(s)%20(VNet).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237292i5C2287A5E452ABC6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EScenario%201%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20not%20able%20to%20access%20your%20storage%20account%20using%20Portal%20from%20an%20on-premises%20network%20(not%20part%20of%20the%20Azure%20VNet)%20or%20over%20the%20internet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20447px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237293iE986D0E1B2A24656%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20error%20message%20we%20are%20getting%20is%20Authorization%20Error%20when%20accessing%20the%20storage%20account%20from%20our%20on-premises%20system.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWe%20will%20download%20the%20storage%20diagnostics%20logs%20and%20look%20for%20additional%20information%20on%20this%20error.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20494px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237309i44803ACA4FAFFE51%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20the%20log%20file%20we%20will%20look%20up%20the%20%E2%80%98Storage%20Request%20ID%E2%80%99%20that%20we%20see%20in%20the%20error%2C%20which%20is%20%E2%80%98c18737e5-b01e-000a-04c5-b9b483000000%E2%80%99%20in%20this%20case.%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20546px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237295iB5DE57AE25D56905%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFrom%20the%20logs%20we%20can%20see%20that%20the%20request%20failed%20due%20to%20%E2%80%98SASIpAuthorizationError%E2%80%99%20and%20we%20can%20see%20the%20originating%20IP%20address%20as%20well.%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237296iC7BB897DFFB538B2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EAs%20we%20have%20allowed%20access%20to%20our%20storage%20account%20only%20from%20specific%20VNet%2C%20we%20need%20further%20authorize%20our%20client%20IP%20Address%20as%20well.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFor%20that%20we%20will%20navigate%20back%20to%20%E2%80%98Firewalls%20and%20virtual%20networks%E2%80%99%20and%20under%20Firewall%2C%20we%20will%20add%20our%20client%20IP%20address%20and%20click%20Save.%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20564px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237297iF37D848B7B893C20%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EOnce%20done%20we%20are%20now%20able%20to%20access%20the%20storage%20account%20containers%20contents.%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237298i12667FC515D1028A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%202%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20not%20able%20to%20access%20your%20storage%20account%20from%20a%20Virtual%20Machine%2C%20which%20is%20part%20of%20the%20VNet%2C%20already%20authorized%20in%20storage%20accounts%20Firewall%20and%20virtual%20networks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20trying%20to%20download%20a%20file%2C%20we%20see%20the%20following%20error%20message.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237299i9D0038E610BC7106%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EFor%20this%20issue%20we%20will%20use%20the%20storage%20diagnostics%20logs%20enabled%20on%20our%20storage%20account.%20We%20will%20navigate%20to%20the%20%24logs%20container%20in%20our%20storage%20account%20and%20download%20log%20files.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237300i0425B009710B104A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EWe%20have%20converted%20the%20.log%20file%20to%20a%20CSV%20using%20this%20PowerShell%20script%20for%20easier%20analysis.%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgist.github.com%2Fajith-k%2Faa69feb862a4816d0b4df09fae8aad11%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgist.github.com%2Fajith-k%2Faa69feb862a4816d0b4df09fae8aad11%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EAs%20we%20were%20trying%20to%20download%20a%20blob%2C%20we%20will%20filter%20the%20logs%20and%20look%20for%20%E2%80%98GetBlob%E2%80%99%20operations%20and%20look%20for%20failed%20requests.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20452px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237301i3074C1F85EF866D0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EBelow%20are%20the%20details%20of%20the%20error%20message%20that%20I%20have%20extracted%20from%20logs.%3CTABLE%20class%3D%22lia-indent-margin-left-20px%22%20width%3D%22600%22%3E%0A%3CTBODY%20class%3D%22%22%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%3E%3CP%3ETransaction%20Start%20Time%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20class%3D%22%22%3E%3CP%3E2020-11-13T14%3A46%3A26.5411013Z%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EREST%20Operation%20Type%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3EGetBlob%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3ERequest%20Status%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3EOAuthIpAuthorizationError%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EHTTP%20Status%20Code%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3E403%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EAuthentication%20type%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3Ebearer%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EService%20Type%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3Eblob%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3ERequest%20URL%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstorageaccount.blob.core.windows.net%3A443%2Ftestcontainer%2FImage1.png%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstorageaccount.blob.core.windows.net%3A443%2Ftestcontainer%2FImage1.png%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3ERequest%20ID%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3E6c736153-f01e-0024-16cb-b9e694000000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EClient%20IP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3E10.1.3.4%3A50265%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EUser%20Agent%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3EAzure-Storage%2F2.0.0-2.0.1%20(Python%20CPython%203.6.8%3B%20Windows%2010)%20AZURECLI%2F2.11.1%20(MSI)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20class%3D%22%22%3E%0A%3CTD%20width%3D%22200%22%20class%3D%22%22%3E%3CP%3EUser%20Object%20ID%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22400%22%20style%3D%22word-break%3A%20break-all%3B%22%3E%3CP%3E9e1xxxxx-xxxx-xxxx-xxxx-xxxxxx786d11%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FLI%3E%0A%3CLI%3ETo%20confirm%20that%20this%20error%20indeed%20originated%20from%20our%20VM%2C%20we%20can%20verify%20the%20IP%20Address.%20For%20that%20we%20can%20simply%20run%20ipconfig%20command%20in%20our%20Virtual%20Machine%2C%20or%20on%20Azure%20Portal%2C%20we%20can%20go%20to%20the%20VNet%20this%20VM%20belongs%20to%20and%20check%20under%20Connected%20devices.%3C%2FLI%3E%0A%3CLI%3EThe%20Request%20Status%20field%20denotes%20that%20this%20request%20was%20failed%20due%20to%20IP%20Authorization%20error.%20OAuth%20prefix%20denotes%20the%20authentication%20method%20used%20for%20this%20request.%20HTTP%20Status%20code%20denotes%20403%20which%20means%20unauthorized%20access.%3C%2FLI%3E%0A%3CLI%3ENext%2C%20we%20need%20to%20verify%20that%20the%20subnet%20in%20which%20this%20VM%20is%20assigned%20to%20is%20also%20allowed%20in%20the%20storage%20firewall.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EThe%20VM%20belongs%20to%20testVNet1%20and%20subnet%20is%20subnet3.%3CSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20433px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237302i58E1C9CD80B4EAFA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUnder%20storage%20accounts%2C%20Firewalls%20and%20virtual%20networks%20we%20can%20see%20that%20only%20subnet0%20is%20allowed%20to%20access%20the%20storage%20account.%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237303i33D30590FB936B91%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EWe%20need%20to%20authorize%20subnet3%20and%20enable%20Storage%20Endpoint%20on%20that%20subnet.%20If%20storage%20endpoint%20is%20not%20enabled%2C%20Portal%20will%20show%20a%20message%20and%20give%20the%20option%20to%20enable%20the%20storage%20endpoint.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EOnce%20enabled%2C%20we%20can%20add%20subnet3%20to%20the%20storage%20accounts%20firewall.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237304i67183885E65568CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%0A%3CLI%3E%3CSPAN%3E%20Once%20the%20new%20firewall%20rules%20are%20propagated%2C%20we%20can%20go%20back%20to%20our%20VM%20and%20try%20to%20download%20the%20blob%20again%20and%20it%20runs%20successfully.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20477px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237305i35FDE120B25C46B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%203%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20are%20trying%20to%20add%20a%20VNet%20and%20its%20subnets%20to%20storage%20accounts%20firewall.%20However%2C%20you%20are%20getting%20NetworkSourceDeleted%20error.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20246px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237306iBF15EE4E043B7E8C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EActions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20in%20this%20case%20is%20very%20self-explanatory.%20The%20subnet%20%E2%80%98subnet1%E2%80%99%20under%20testvnet1%20is%20required%20to%20be%20removed%20from%20storage%20accounts%20named%20in%20the%20error%20message.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20understand%20why%20this%20error%20occurs.%20We%20have%20a%20Virtual%20Network%20setup%20as%20below%20and%20all%20these%20subnets%20are%20added%20to%20a%20storage%20accounts%20firewall%3A%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20if%20you%20delete%20a%20subnet%20from%20the%20virtual%20network%2C%20that%20subnet%20gets%20marked%20as%20NetworkSourceDeleted%20in%20the%20storage%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-deleted%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20create%20another%20subnet%20having%20the%20same%20name%20as%20the%20one%20which%20was%20deleted%20earlier.%20The%20previously%20deleted%20subnet1%20is%20still%20marked%20as%20%E2%80%98NetworkSourceDeleted%E2%80%99%20under%20Storage1%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22hiddenTable%22%20style%3D%22border-style%3A%20hidden%3B%22%20width%3D%22600%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EStorage1%20Firewall%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet0%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet0%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet1%20-new%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet1%20-NetworkSourceDeleted%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22border-style%3A%20hidden%3B%22%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3E%E2%87%92subnet2%3C%2FTD%3E%0A%3CTD%20style%3D%22border-style%3A%20hidden%3B%20padding%3A%200%3B%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22300%22%20style%3D%22padding%3A%200%3B%22%3EVNet1%5Csubnet2%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20try%20to%20add%20the%20new%20%E2%80%98subnet1%E2%80%99%20to%20any%20other%20storage%20accounts%20firewall%2C%20we%20get%20%E2%80%98NetworkSourceDeleted%E2%80%99%20error.%20To%20resolve%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWe%20go%20to%20Firewalls%20and%20virtual%20networks%20under%20storage%20accounts%20mentioned%20in%20the%20error%20and%20remove%20subnet1%20from%20the%20Virtual%20networks%20allowed.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20Then%20if%20we%20try%20to%20add%20the%20subnet1%20in%20any%20other%20storage%20account%2C%20it%20will%20not%20throw%20the%20error%20and%20complete%20the%20operation%20successfully.%20%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20622px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237307iADAA4D7805A27464%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20245px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237308i9102250159F3A934%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1944730%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Storage%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1963169%22%20slang%3D%22en-US%22%3ERe%3A%20Troubleshooting%20Storage%20Firewall%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1963169%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20technique%20for%20troubleshooting%20was%20what%20we%20used%20when%20migrating%20content%20from%20our%20On-Prem%20SharePoint%20instance%20to%20SharePoint%20Online.%20We%20had%20our%20internal%20machines%20and%20IP%20addresses%20included%20and%20we%20also%20had%20the%20box%20ticked%20to%20allow%20Azure%20resources%20through%2C%20but%20we%20were%20still%20finding%20that%20no%20files%20were%20being%20moved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpon%20opening%20the%20logs%2C%20we%20found%20several%20IP%20addresses%20that%20were%20being%20blocked.%20We%20looked%20them%20those%20IP%20addresses%20in%20the%20O365%20URLs%20listing%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Furls-and-ip-address-ranges%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOffice%20365%20URLs%20and%20IP%20address%20ranges%20-%20Microsoft%20365%20Enterprise%20%7C%20Microsoft%20Docs%3C%2FA%3E)%20and%20verified%20where%20they%20were%20coming%20from.%20After%20we%20added%20in%20the%20CIDR%20ranges%20that%20matched%20the%20blocked%20IPs%2C%20our%20migration%20data%20started%20flowing%20through%20the%20Storage%20Account%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20also%20applies%20to%20OneDrive%20for%20Business%20migration...%20We%20were%20using%20the%20SharePoint%20Migration%20Tool%20-%20Custom%20Azure%20Storage%20settings.%20The%20Azure%20Storage%20Explorer%20tool%20was%20also%20useful%20during%20our%20troubleshooting.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

In this blog we will look at some common issues that we face using storage accounts with Firewalls and Virtual Networks enabled. We have enabled storage diagnostics logs on the storage account, and we will use the same to troubleshoot some of the issues.

 

You have enabled Firewalls and Virtual networks on your storage account and allowed access to the storage account only from specific Virtual Network(s) (VNet).

image.png

 

Scenario 1:

You are not able to access your storage account using Portal from an on-premises network (not part of the Azure VNet) or over the internet.

 

image.png

 

Actions:

  1. The error message we are getting is Authorization Error when accessing the storage account from our on-premises system.
  2. We will download the storage diagnostics logs and look for additional information on this error.
    image.png
  3. In the log file we will look up the ‘Storage Request ID’ that we see in the error, which is ‘c18737e5-b01e-000a-04c5-b9b483000000’ in this case.
    image.png
  4. From the logs we can see that the request failed due to ‘SASIpAuthorizationError’ and we can see the originating IP address as well.
    image.png
  5. As we have allowed access to our storage account only from specific VNet, we need further authorize our client IP Address as well.
  6. For that we will navigate back to ‘Firewalls and virtual networks’ and under Firewall, we will add our client IP address and click Save.
    image.png
  7. Once done we are now able to access the storage account containers contents.
    image.png

 

Scenario 2:

You are not able to access your storage account from a Virtual Machine, which is part of the VNet, already authorized in storage accounts Firewall and virtual networks.

 

When trying to download a file, we see the following error message.

image.png

 

Actions:

  1. For this issue we will use the storage diagnostics logs enabled on our storage account. We will navigate to the $logs container in our storage account and download log files.
    image.png
  2. We have converted the .log file to a CSV using this PowerShell script for easier analysis. https://gist.github.com/ajith-k/aa69feb862a4816d0b4df09fae8aad11
  3. As we were trying to download a blob, we will filter the logs and look for ‘GetBlob’ operations and look for failed requests.
    image.png
  4. Below are the details of the error message that I have extracted from logs.

    Transaction Start Time

    2020-11-13T14:46:26.5411013Z

    REST Operation Type

    GetBlob

    Request Status

    OAuthIpAuthorizationError

    HTTP Status Code

    403

    Authentication type

    bearer

    Service Type

    blob

    Request URL

    https://storageaccount.blob.core.windows.net:443/testcontainer/Image1.png

    Request ID

    6c736153-f01e-0024-16cb-b9e694000000

    Client IP

    10.1.3.4:50265

    User Agent

    Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.8; Windows 10) AZURECLI/2.11.1 (MSI)

    User Object ID

    9e1xxxxx-xxxx-xxxx-xxxx-xxxxxx786d11

  5. To confirm that this error indeed originated from our VM, we can verify the IP Address. For that we can simply run ipconfig command in our Virtual Machine, or on Azure Portal, we can go to the VNet this VM belongs to and check under Connected devices.
  6. The Request Status field denotes that this request was failed due to IP Authorization error. OAuth prefix denotes the authentication method used for this request. HTTP Status code denotes 403 which means unauthorized access.
  7. Next, we need to verify that the subnet in which this VM is assigned to is also allowed in the storage firewall.
  8. The VM belongs to testVNet1 and subnet is subnet3.
    image.png
  9. Under storage accounts, Firewalls and virtual networks we can see that only subnet0 is allowed to access the storage account.
    image.png
  10. We need to authorize subnet3 and enable Storage Endpoint on that subnet. If storage endpoint is not enabled, Portal will show a message and give the option to enable the storage endpoint.
  11. Once enabled, we can add subnet3 to the storage accounts firewall.</snap<
    image.png
  12. Once the new firewall rules are propagated, we can go back to our VM and try to download the blob again and it runs successfully.
    image.png

 

Scenario 3:

You are trying to add a VNet and its subnets to storage accounts firewall. However, you are getting NetworkSourceDeleted error.

image.png

 

Actions:

The error message in this case is very self-explanatory. The subnet ‘subnet1’ under testvnet1 is required to be removed from storage accounts named in the error message.

 

Let us understand why this error occurs. We have a Virtual Network setup as below and all these subnets are added to a storage accounts firewall:

VNet1   Storage1 Firewall
⇒subnet0   VNet1\subnet0
⇒subnet1   VNet1\subnet1
⇒subnet2   VNet1\subnet2

 

Now, if you delete a subnet from the virtual network, that subnet gets marked as NetworkSourceDeleted in the storage account.

 

VNet1   Storage1 Firewall
⇒subnet0   VNet1\subnet0
⇒subnet1 -deleted   VNet1\subnet1 -NetworkSourceDeleted
⇒subnet2   VNet1\subnet2

 

We create another subnet having the same name as the one which was deleted earlier. The previously deleted subnet1 is still marked as ‘NetworkSourceDeleted’ under Storage1 firewall.

 

VNet1   Storage1 Firewall
⇒subnet0   VNet1\subnet0
⇒subnet1 -new   VNet1\subnet1 -NetworkSourceDeleted
⇒subnet2   VNet1\subnet2

 

If we try to add the new ‘subnet1’ to any other storage accounts firewall, we get ‘NetworkSourceDeleted’ error. To resolve this:

 

  1. We go to Firewalls and virtual networks under storage accounts mentioned in the error and remove subnet1 from the Virtual networks allowed.
  2. Then if we try to add the subnet1 in any other storage account, it will not throw the error and complete the operation successfully.
    image.png
    image.png
1 Comment
Regular Contributor

This technique for troubleshooting was what we used when migrating content from our On-Prem SharePoint instance to SharePoint Online. We had our internal machines and IP addresses included and we also had the box ticked to allow Azure resources through, but we were still finding that no files were being moved.

 

Upon opening the logs, we found several IP addresses that were being blocked. We looked them those IP addresses in the O365 URLs listing (Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs) and verified where they were coming from. After we added in the CIDR ranges that matched the blocked IPs, our migration data started flowing through the Storage Account as expected.

 

This also applies to OneDrive for Business migration... We were using the SharePoint Migration Tool - Custom Azure Storage settings. The Azure Storage Explorer tool was also useful during our troubleshooting.