Access StorageAccount over vNet peering

Porsche Me 131 Reputation points
2020-10-20T00:03:37.51+00:00

We are getting below error when our service in T2 accessing the sa1 StorageAccount in T1.
The remote name could not be resolved: sa1.dbf.core.windows.net'

Does accessing storageaccount over vNet peering work?

Tenant : T2
Virtual Network : vNet2
Remarks : both vNet2 and vNet1 are connected through peering

Tenant : T1
Virtual Network : vNet1
StorageAccount : sa1
DNS private zone : privatelink.dfs.core.windows.net
Private Endpoint : sa1.dbf.core.windows.net

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,874 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,268 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Radu Pearsica 1 Reputation point
    2020-10-20T12:28:16.797+00:00

    Hi,

    You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

    Please see https://video2.skills-academy.com/en-us/azure/storage/common/storage-network-security

    Best regards,
    Radu

    0 comments
  2. Porsche Me 131 Reputation points
    2020-10-20T13:24:23.717+00:00

    Thanks @Radu Pearsica for the link.

    Which of the below is proffered and do'able

    1. ACL the StorageAccount to allow traffic from a specific vNet in different subscription/tenant
    2. Disable public network access, create a StorageAccount private link, let the services in different subscription/tenant access it?
    0 comments
  3. deherman-MSFT 35,011 Reputation points Microsoft Employee
    2020-10-20T19:14:38.73+00:00

    @Porsche Me
    Option 2 is what would be preferred. To accomplish this please see the section Grant access from a virtual network. Please note, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. To grant access to a subnet in a virtual network belonging to another tenant, please use Powershell, CLI or REST APIs.

    Please try this and let us know if you run into any issues.

    ----------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  4. Porsche Me 131 Reputation points
    2020-10-20T20:13:01.157+00:00

    Thanks @deherman-MSFT for the reply.

    We have have couple of blocking issues with option #2

    • We got "The remote name could not be resolved" error with private link (the original email of this thread)
    • Insufficient permissions, see this #64654
    0 comments