This article is contributed. See the original author and article here.
In this blog we will look at some common issues that we face using storage accounts with Firewalls and Virtual Networks enabled. We have enabled storage diagnostics logs on the storage account, and we will use the same to troubleshoot some of the issues.
You have enabled Firewalls and Virtual networks on your storage account and allowed access to the storage account only from specific Virtual Network(s) (VNet).
You are not able to access your storage account using Portal from an on-premises network (not part of the Azure VNet) or over the internet.
- The error message we are getting is Authorization Error when accessing the storage account from our on-premises system.
- We will download the storage diagnostics logs and look for additional information on this error.
- In the log file we will look up the ‘Storage Request ID’ that we see in the error, which is ‘c18737e5-b01e-000a-04c5-b9b483000000’ in this case.
- From the logs we can see that the request failed due to ‘SASIpAuthorizationError’ and we can see the originating IP address as well.
- As we have allowed access to our storage account only from specific VNet, we need further authorize our client IP Address as well.
- For that we will navigate back to ‘Firewalls and virtual networks’ and under Firewall, we will add our client IP address and click Save.
- Once done we are now able to access the storage account containers contents.
You are not able to access your storage account from a Virtual Machine, which is part of the VNet, already authorized in storage accounts Firewall and virtual networks.
When trying to download a file, we see the following error message.
- For this issue we will use the storage diagnostics logs enabled on our storage account. We will navigate to the $logs container in our storage account and download log files.
- We have converted the .log file to a CSV using this PowerShell script for easier analysis. https://gist.github.com/ajith-k/aa69feb862a4816d0b4df09fae8aad11
- As we were trying to download a blob, we will filter the logs and look for ‘GetBlob’ operations and look for failed requests.
- Below are the details of the error message that I have extracted from logs.
Transaction Start Time
REST Operation Type
HTTP Status Code
Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.8; Windows 10) AZURECLI/2.11.1 (MSI)
User Object ID
- To confirm that this error indeed originated from our VM, we can verify the IP Address. For that we can simply run ipconfig command in our Virtual Machine, or on Azure Portal, we can go to the VNet this VM belongs to and check under Connected devices.
- The Request Status field denotes that this request was failed due to IP Authorization error. OAuth prefix denotes the authentication method used for this request. HTTP Status code denotes 403 which means unauthorized access.
- Next, we need to verify that the subnet in which this VM is assigned to is also allowed in the storage firewall.
- The VM belongs to testVNet1 and subnet is subnet3.
- Under storage accounts, Firewalls and virtual networks we can see that only subnet0 is allowed to access the storage account.
- We need to authorize subnet3 and enable Storage Endpoint on that subnet. If storage endpoint is not enabled, Portal will show a message and give the option to enable the storage endpoint.
- Once enabled, we can add subnet3 to the storage accounts firewall.</snap<
- Once the new firewall rules are propagated, we can go back to our VM and try to download the blob again and it runs successfully.
You are trying to add a VNet and its subnets to storage accounts firewall. However, you are getting NetworkSourceDeleted error.
The error message in this case is very self-explanatory. The subnet ‘subnet1’ under testvnet1 is required to be removed from storage accounts named in the error message.
Let us understand why this error occurs. We have a Virtual Network setup as below and all these subnets are added to a storage accounts firewall:
Now, if you delete a subnet from the virtual network, that subnet gets marked as NetworkSourceDeleted in the storage account.
We create another subnet having the same name as the one which was deleted earlier. The previously deleted subnet1 is still marked as ‘NetworkSourceDeleted’ under Storage1 firewall.
If we try to add the new ‘subnet1’ to any other storage accounts firewall, we get ‘NetworkSourceDeleted’ error. To resolve this:
- We go to Firewalls and virtual networks under storage accounts mentioned in the error and remove subnet1 from the Virtual networks allowed.
- Then if we try to add the subnet1 in any other storage account, it will not throw the error and complete the operation successfully.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.