How to connect to a Azure storage account blob storage that has turned off public network access and cannot whitelist IP addresses using Azure Storage Explorer from a local machine on a different network

Hello Tom,

Thank you for posting your query here!

You may need a Private Endpoint - basically a NIC dedicated to each resource, or in the case of the storage account or similar resource, a specific service of the resource. Using these for storage accounts and Azure SQL is well-documented, they will work just fine with the Azure VPN gateway assuming your DNS is configured correctly. More details here: https://zcusa.951200.xyz/en-us/azure/private-link/private-endpoint-overview 

However, please note that for the storage account, you can disable key access and use identity-based access, and for Azure SQL you can accomplish basically the same thing by disabling local SQL authentication. There are at least two other negatives with private endpoints: they cost about $7/month per endpoint, and they substantially complicate any infrastructure as code or CICD you are doing.

Similar issue posted here on SO: https://stackoverflow.com/questions/78062159/how-to-connect-to-a-azure-storage-account-blob-storage-that-has-turned-off-publi

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

@Tom Adding more information to the above response

If you have turned off public network access to your Azure storage account blob storage and cannot whitelist IP addresses, you can still connect to the storage account using Azure Storage Explorer from a local machine on a different network by following these steps:

1. Connect to your virtual network using a VPN connection. You can set up a VPN gateway in Azure and configure a point-to-site VPN connection to connect to your virtual network.
2. Configure a virtual network service endpoint for your storage account. This will allow traffic from your virtual network to access the storage account without going through the public internet. To do this, you can follow these steps: a. Go to the "Firewalls and virtual networks" settings for your storage account. b. Click on "Add existing virtual network" and select the virtual network that you want to connect to the storage account. c. Once the virtual network is added, click on "Add existing subnet" and select the subnet that you want to use for the service endpoint. d. Save the changes to the firewall settings.
3. Open Azure Storage Explorer on your local machine and click on "Add an account".
4. Select "Use a connection string" and enter the connection string for your storage account. You can find the connection string in the "Access keys" section of your storage account.
5. Click on "Next" and enter a display name for your storage account.
6. In the "Advanced" tab, select "Use virtual network service endpoint" and enter the private IP address of the storage account. You can find the private IP address in the "Firewalls and virtual networks" settings of your storage account.

Click on "Connect" to connect to your storage account.

For this error message is that the firewall settings for your storage account are blocking access from your local machine. You mentioned that you have already tried adding your client IP address to the firewall exceptions, but this may not be a sustainable solution if other people require access from their local machines. Another possible solution is to configure a virtual network service endpoint for your storage account. This will allow traffic from your virtual network to access the storage account without going through the public internet. To do this, you can follow these steps:

1. Go to the "Firewalls and virtual networks" settings for your storage account.
2. Click on "Add existing virtual network" and select the virtual network that you want to connect to the storage account.
3. Once the virtual network is added, click on "Add existing subnet" and select the subnet that you want to use for the service endpoint.
4. Save the changes to the firewall settings.

After you have configured the virtual network service endpoint, you should be able to access the blob container from your local machine by connecting to the virtual network using a VPN connection. You mentioned that you have already set up a VPN gateway using a point-to-site connection, but you are still receiving the error message. One possible reason for this is that the VPN connection is not configured to use the virtual network service endpoint for the storage account. You may need to update the VPN configuration to use the service endpoint. Regarding your question about moving Azure SQL databases to the same virtual network, this should work as long as you configure the firewall settings for the SQL server to allow traffic from the virtual network. You can follow similar steps as above to add the virtual network to the firewall settings for the SQL server.

To connect to a blob container from your local machine using the Azure Storage Explorer or the Azure portal when the storage account is behind a virtual network, you need to create a private endpoint for the storage account and add that virtual network to the trusted virtual networks list. Then, you can connect to the storage account using the private endpoint. Alternatively, you can permit traffic through the ISE outbound IPs on the storage account.

Kindly let us know if you still have more questions on this. I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you.  

Please let us know if you have any further queries. I’m happy to assist you further.    

---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.