Problem with connecting Azure Files from container when using Azure Firewall

Question

Hello,

I have a problem with Azure container and a firewall. This container needs to access Internet, Azure Files (SMB) and Azure SQL database. If I start the container without any firewall configuration, it works without problems (except I cannot access the application with a browser, because there's no routing).

However, when I add the firewall configuration, everything else works EXCEPT Azure Files. The connection to Azure Files just times out. What could be wrong?

The container runs Linux. This configuration was inspired by this page: https://github.com/Azure-Samples/azure-cli-samples/blob/master/container-instances/egress-ip-address.sh

This is how the container is started:

az container create ` --name ${{ env.CS_CONTAINER_GROUP }} \

--resource-group ${{ env.RESOURCE_GROUP }} \

--image ${{ env.CONTAINER_IMAGE }} \

--vnet ${{ env.VNET_NAME }} \

--vnet-address-prefix 10.0.0.0/16 \

--subnet ${{ env.SUBNET_NAME }} \

--subnet-address-prefix 10.0.8.0/29 \

--registry-login-server ${{ env.REGISTRY_LOGIN_SERVER }} \

--registry-username ${{ secrets.AZURE_CONTAINER_REGISTRY_USER }} \

--registry-password ${{ secrets.AZURE_CONTAINER_REGISTRY_PASSWORD }} \

--restart-policy OnFailure \

--azure-file-volume-account-name ${{ secrets.AZURE_STORAGE_ACCOUNT_USER }} \

--azure-file-volume-account-key ${{ secrets.AZURE_STORAGE_ACCOUNT_PASSWORD }} \

--azure-file-volume-share-name ${{ env.FILE_SHARE }} \

--azure-file-volume-mount-path ${{ env.MOUNT_PATH }} \

--cpu 1 \

--memory 2.5 \

--ports 8080 8181 4848 \

--location 'west europe'

This is the network configuration:

aciPrivateIp="$(az container show --name ${{ env.CS_CONTAINER_GROUP }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --query ipAddress.ip --output tsv)"
az network vnet subnet create -n AzureFirewallSubnet \
--vnet-name ${{ env.VNET_NAME }} -g ${{ env.RESOURCE_GROUP }} \
--address-prefixes "10.0.12.0/26" \
--verbose
az network firewall create \
  --name ${{ env.FIREWALL_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --location 'west europe' \
  --sku AZFW_VNet \
  --verbose
az network public-ip create \
  --name pip-${{ env.FIREWALL_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --location 'west europe' \
  --allocation-method static \
  --dns-name ${{ env.DNS_NAME }} \
  --sku standard   
az network firewall ip-config create \
  --firewall-name ${{ env.FIREWALL_NAME }} \
  --name FW-config \
  --public-ip-address pip-${{ env.FIREWALL_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --vnet-name ${{ env.VNET_NAME }} \
  --verbose
az network firewall update \
  --name ${{ env.FIREWALL_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --verbose
fwPrivateIp="$(az network firewall ip-config list \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --firewall-name ${{ env.FIREWALL_NAME }} \
  --query "[].privateIpAddress" --output tsv)"
fwPublicIp="$(az network public-ip show \
  --name pip-${{ env.FIREWALL_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --query ipAddress --output tsv)"
az network route-table create \
  --name Firewall-rt-table \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --location 'west europe' \
  --disable-bgp-route-propagation true \
  --verbose
az network route-table route create \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --name DG-Route \
  --route-table-name Firewall-rt-table \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $fwPrivateIp \
  --verbose
az network vnet subnet update \
  --name ${{ env.SUBNET_NAME }} \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --vnet-name ${{ env.VNET_NAME }} \
  --address-prefixes 10.0.8.0/29 \
  --route-table Firewall-rt-table \
  --verbose
az network firewall nat-rule create \
  --firewall-name ${{ env.FIREWALL_NAME }} \
  --collection-name fw-cs-demo-nat-collection-8181 \
  --action dnat \
  --name cs-demo-nat-rule-8181 \
  --protocols TCP \
  --source-addresses 194.86.38.38 194.86.38.39 \
  --destination-addresses $fwPublicIp \
  --destination-ports 8181 \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --translated-address $aciPrivateIp \
  --translated-port 8181 \
  --priority 200 \
  --verbose
az network firewall nat-rule create \
  --firewall-name ${{ env.FIREWALL_NAME }} \
  --collection-name fw-cs-demo-nat-collection-4848 \
  --action dnat \
  --name cs-demo-nat-rule-4848 \
  --protocols TCP \
  --source-addresses 194.86.38.38 194.86.38.39 \
  --destination-addresses $fwPublicIp \
  --destination-ports 4848 \
  --resource-group ${{ env.RESOURCE_GROUP }} \
  --translated-address $aciPrivateIp \
  --translated-port 4848 \
  --priority 180 \
  --verbose
az network firewall network-rule create \
   --collection-name fw-cs-demo-outbound-collection \
   --destination-addresses '*' \
   --destination-ports '*' \
   --firewall-name ${{ env.FIREWALL_NAME }} \
   --name AllowOutbound \
   --protocols Any \
   --resource-group ${{ env.RESOURCE_GROUP }} \
   --priority 200 \
   --source-addresses 10.0.8.0/29 \
   --action Allow \
   --verbose

Answer

Hello Kiili Ville-Matti,

Greetings! Welcome to Microsoft Q&A Platform.

Verify that the Linux container has the necessary authentication and access permissions to access the Azure File Share. Ensure that the container is joined to the same domain as the Azure File Share and has the appropriate credentials to authenticate against the domain.

SMB file shares communicate over port 445, which many organizations and internet service providers (ISPs) block for outbound (internet) traffic. This practice originates from legacy security guidance about deprecated and non-internet safe versions of the SMB protocol. Although SMB 3.x is an internet-safe protocol, organizational or ISP policies may not be possible to change. Therefore, mounting an SMB file share often requires additional networking configuration to use outside of Azure. Check if any firewall rules or network configurations are blocking the container's access to the Azure File Share. Ensure that the required ports (such as TCP 445) are open for the container to establish a connection to the Azure File Share and also refer https://video2.skills-academy.com/en-us/azure/storage/files/storage-files-networking-overview, https://video2.skills-academy.com/en-us/azure/container-registry/container-registry-firewall-access-rules

Confirm that the Azure File Share has the appropriate authentication settings configured. Azure Files supports two types of authentications: Azure AD domain authentication and storage account key authentication. Ensure that the chosen authentication method aligns with your environment and is correctly configured.

Double-check the mount point and the credentials used to mount the Azure File Share within the container. Ensure that the mount point is correctly set up and that the credentials used to access the Azure File Share are accurate and have sufficient permissions.

If your container is deployed within an Azure virtual network (VNet), make sure that the VNet is integrated with the Azure File Share's VNet. This ensures that the container can communicate with the Azure File Share securely.

For more troubleshooting refer -https://video2.skills-academy.com/en-us/troubleshoot/azure/azure-storage/files/performance/files-troubleshoot-performance?tabs=linux#youre-running-an-old-operating-system,

https://video2.skills-academy.com/en-us/troubleshoot/azure/azure-container-registry/download-failed-443-io-time-out.

Hope the above information helps! Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Problem with connecting Azure Files from container when using Azure Firewall

1 answer

Your answer