Azure File Sync to Azure File Share w/ Private Endpoints

Copper Contributor

I have both my Azure File Share and My Azure File Sync going through private endpoints, Azure File Share works fine and I'm able to access the shares directly on-prem with no issues. I also have Azure File Sync setup on one of my file servers and I want it to sync to one of the Azure File Shares I created for redundancy. I'm able to register the server on Azure File Sync fine and create a sync group, but when I go to create a cloud endpoint I get the following error: 

 

Cloud endpoint '********'
Code: MgmtForbidden
Details: Failed to provision a replica group.

 

I have a site-to-site-vpn setup between my on-prem and azure ad that's up and running fine. I also setup conditional forwarding for core.windows.net & afs.azure.net to point to the IP address of a DNS server that I created in Azure Cloud. My DNS server then uses a conditional forward to point core.windows.net & afs.azure.net to Azure's DNS address 168.63.129.16. 

 

On Prem(Points to DNS Server IP: 

ike_bai1022_0-1655823215684.png

 

On Azure DNS Server (Points to 168.63.129.16):

ike_bai1022_1-1655823370607.png

I even double checked that the file sync service has access to the file share: 

ike_bai1022_0-1655823564458.png

 

I can resolve the hostnames of both private endpoints but I can only ping the IP address of the File Share Private endpoint is there something I'm missing? 

4 Replies

I was able to figure this out for anyone else who has this issue, as Microsoft does not provide clear documentation anywhere regarding this use case that I know of:

 

You need to go to the storage account you want to access and change the Network settings to "Enabled from selected virtual networks and IP addresses"

 

ike_bai1022_0-1655824900385.png

 

 

Then you have to check off in Exceptions: 

ike_bai1022_1-1655824939358.png

 

Hope this helps anyone else!

Thanks, I just had the same problem and this is what I was missing. I had denied all public access to the storage account.

@ike_bai1022 , you truly helped me move forward, with something that I have been struggling for quite some time!! Much appreciate you sharing the solution here!  Your solution did help me, to successfully create the cloud end point for the first time.

@ike_bai1022 

Yes, it need to allow before you can access, not sure it's a security concern that not enable by default