Azure Storage Account – JohanPersson.nu

Hi All…

I have been in IT for more then 25 years and I still manage to feel extremely stupid way too often… This is definetely one of those moments.

Disclamer: I am not an Azure expert… so thi might be obvious, just not to me 😀

Background

A customer that I am working with is starting to build their integration story for communicating with Dynamics 365 fo Finance and Supply Chain. One of the patterns is to send files through SFTP then would like to do that natively to an Azure Storage account. In order to enable SFTP in Azure you need hierarchical namespaces which in turn requires Azure Data Lake Storage Gen2.

So far so good… I set up a ADLS Gen2 storage account in the customers Azure and to follow best practices I enabled the firewall on the Storage and added my own IP adress. I was able to access it from my computer using Azure Storage Explorer and everything worked great. So I told our developer and he told me “It does NOT work!”… What?? Apparently he used tha Storage account name and the access key, so I tried that from my laptop… it worked.

I logged in to the D365FO dev machine and tried to access it from there using name and access key and it did not work. Of course I figured it had to do with the firewall, so I added the Public IP of the Dev VM. It still did NOT work!!

I tried to access the Storage account using my Azure AD account, and it worked (I still do not understand why).

After a LOT of troubleshooting (and a vacation to forget everything) I came back and came back and I started looking into this. With some awesome troubleshooting help from Jonas, I finally stumble on this little nugget:

If the storage account and the VM are in the same region, traffic goes over the Azure backbone network. I tried it with a VM in a different region then whitelist the static public IP of Azure VM to the firewall of the storage account, it worked!

Which eventually led me to this:

So the issue is that if you access an Azure Resource from another Azure Resource, in the same region, the traffic is not routed through the Public IP, it is routed throuh the Azure Backbone. You are however not able to add IP rules for the internal IP address of an Azure VM so you need to add the Azure Virtual Network that hosts the VM.

Although it took way too long to figure out, I learned a lot 🙂

Bye for today

Links
https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support
https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range

When working with Dynamics machines in Azure you might want to move database backups from one VM to another and since they are not on the same network it is i little trickier. One option is to move the file using RDP… we have a couple of issues here… large files do not work/take a long lime… your computer is tied up since you cannot shut it down or use the clip board while copying… we need another solution.

The solution is Azure File Share but we need a simple solution to use them. We will map it to a drive letter:

To create a storage file share start by logging into the Azure Portal
Create a new Storage account or use an existing
Select File Service – Files
Click + File share, give the share a name and click OK
Go back to the Storage Account and select Access Keys
Copy one of the access key

Start Command Prompt and enter this command to map the drive:

net use z: \\[StorageAccountName].file.core.windows.net\[fileshare] /u[StrorageAccountName] [StorageAccountKey]

UPDATE: Do not start the command prompt as administrator

Note: You need external access on port 445 which means that this might not work from your ISP or from your company network. It does however work great from Azure

Tag: Azure Storage Account

Troubleshooting issues with access to Azure Storage Accounts

UPDATED: Mapping the Azure Storage Blob to a Drive Letter in Explorer