When a VM can’t talk to a Storage Private Endpoint

techhadoop , , , ,

When a VM can’t talk to a Storage Private Endpoint, the issue almost always boils down to one of three things: DNS, Network Rules, or Approval State.

Here is your step-by-step troubleshooting checklist.

🔍 Step 1: The “Approval” Check

Before looking at technical networking, ensure the connection is actually “On.”

  • Check the Status: Go to the Storage Account > Networking > Private Endpoint Connections.
  • Look for “Approved”: If it says Pending, the connection isn’t active yet. Someone needs to manually approve it (common if the Storage Account is in a different subscription than the Private Endpoint).

🌐 Step 2: The DNS Resolution Check (Most Likely Culprit)

This is where 90% of Private Endpoint issues live. Your VM needs to resolve the Storage Account’s URL to a Private IP (e.g., 10.0.0.5), not its Public IP.

  1. Run a Test: From your VM (PowerShell or Bash), run:
    • nslookup yourstorage.blob.core.windows.net
  2. Evaluate the Result:
    • Bad: It returns a Public IP. Your VM is bypassing the Private Link and hitting the internet (which is likely blocked by the storage firewall).
    • Good: It returns a Private IP (usually in the range of your VNet) and shows an alias like yourstorage.privatelink.blob.core.windows.net.

The Fix: * Ensure you have a Private DNS Zone named privatelink.blob.core.windows.net.

  • Ensure that DNS Zone is linked to the Virtual Network where your VM sits.
  • If you use a Custom DNS/Domain Controller, ensure it has a conditional forwarder pointing to the Azure DNS IP 168.63.129.16.

🛡️ Step 3: Network Security Group (NSG) Check

Even with Private Link, your Subnet’s “Firewall” rules still apply.

  1. Outbound Rules (VM Subnet): Does the NSG on your VM’s subnet allow traffic to the Private Endpoint’s IP? (Usually, the default “AllowVnetOutbound” covers this, but check for manual “Deny” rules).
  2. Inbound Rules (Private Endpoint Subnet): In 2026, Private Endpoints support Network Policies. Check if the NSG on the Private Endpoint’s subnet allows inbound traffic from your VM on Port 443.
  3. ASG Check: If you are using Application Security Groups, ensure your VM is a member of the ASG allowed in the NSG rules.

🧱 Step 4: Storage Firewall Settings

By default, when you enable a Private Endpoint, you usually “Lock Down” the Storage Account.

  • Go to Storage Account > Networking.
  • Ensure Public Network Access is set to “Disabled” or “Enabled from selected virtual networks and IP addresses.”
  • Crucial: Even if public access is disabled, the Private Endpoint connection itself must be listed and active in the “Private endpoint connections” tab.

🛠️ Step 5: The “Quick Tools” Test

If you’re still stuck, run these two commands from the VM to narrow down if it’s a DNS or Port issue:

  • Test the Port (TCP 443):PowerShell# Windows Test-NetConnection -ComputerName yourstorage.blob.core.windows.net -Port 443 (If this fails but DNS is correct, an NSG or Firewall is blocking you).
  • Check the IP directly:Find the Private IP of the endpoint in the Azure Portal and try to ping it (if ICMP is allowed) or use it in the connection string to see if the error changes.

Summary Checklist:

  1. Is the Private Endpoint Approved?
  2. Does nslookup return a Private IP?
  3. Is the Private DNS Zone linked to the VM’s VNet?
  4. Does the NSG allow traffic on Port 443?

Leave a comment