UNable to connect to Azure Files file share through ExpressRoute

Jan Strunk Nielsen 21 Reputation points
2024-09-04T10:26:28.4133333+00:00

Hi All,

I have created a Azure Files file share with a private endpoint in Azure. The vnet is connected through ExpressRoute to our OnPrem network.

The Azure Files share is resolvable through my OnPrem DNS servers (with the private endpoint ip).

I have serval VMs running in the same vnet in Azure and these VMs are able to connect to the Azure Files share.

However i can't connect to the Azure Files share from an OnPrem machine. I can however connect to a share created on one of the VMs in Azure from the OnPrem machine, so the connection on port 445 is possible.

The Storage Account is set to: "Enabled from selected virtual networks and IP addresses" and nothing further.

I'm kind of stuck here so does anybody have an idea where i should make a change for this to work ?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,282 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 18,501 Reputation points
    2024-09-04T10:35:34.1733333+00:00

    To resolve the issue where you're unable to connect to the Azure Files share from your on-premises network through ExpressRoute, while connections from VMs in the same VNet work fine, consider the following troubleshooting steps:

    • Ensure that the NSG associated with the subnet of your Azure VNet allows inbound and outbound traffic on port 445 (SMB). While your on-premises machine can connect to a VM, the NSG might have different rules for the Azure Files service.
    • Verify that the private endpoint for Azure Files is correctly configured. Check that the private endpoint is associated with the correct subnet in the VNet. Ensure that DNS is resolving the private endpoint IP correctly on the on-premises machine. Since you mentioned that DNS is resolvable, ensure there is no overlap or conflict with any other DNS configurations.
    • Since you mentioned that the storage account is configured to allow access from "Selected virtual networks and IP addresses," ensure that your on-premises public IP (or range) is included in the allowed IP list. If the on-premises network uses NAT or any specific outbound IP address to connect to Azure, ensure that this IP is also added.
    • Verify that your ExpressRoute circuit is properly configured to route traffic to the private endpoint subnet. Ensure that the route tables and network peering settings are correct and that there is no misconfiguration blocking traffic.
    • Some on-premises environments might require specific SMB settings, such as disabling SMB multichannel or ensuring SMB encryption is enabled, to connect to Azure Files. Check if the SMB configuration aligns with Azure requirements.
    • Ensure that the subnet where the private endpoint is created is properly delegated to Microsoft.Storage.
    • if you have multiple VNet peering connections or have used IP address restrictions, double-check that the on-premises network is within an allowed range.
    • Use tools like Test-NetConnection on your on-premises machine to test connectivity to the private endpoint IP on port 445, this can help you determine where the connection might be failing.
      • test-NetConnection -ComputerName <private-endpoint-ip> -Port 445

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.