Share via

In Azure, I've restricted access to a storage account to a specific virtual network. Can I regain access to it through a VPN gateway?

Jakub Śliwiński 0 Reputation points
2026-05-11T19:47:29.46+00:00

I'm trying to learn Azure as a new career path. I've been doing some MS Learning labs, and in this one, you're supposed to restrict access to a storage account to a specific virtual network. Which I've done, and it worked as expected - I'm getting the exact error as specified in the lab. But the action itself felt somewhat arbitrary and didn't really teach me much about why you would do that. So then I wondered, how do I actually access the storage account afterwards?

I asked AI, and it suggested 2 ways:

  1. host a VM inside the virtual network, remote into it, log into Azure there and access the storage account.
  2. Create a VPN gateway, configure P2S on it, connect my own computer to it through Azure VPN and access the storage account through it.

The first method worked without issues, even though it seemed somewhat crude to do. But I'm having trouble getting the second one to work. Here's what I did:

  • created a Virtual network gateway (SKU - VpnGw1AZ, type - VPN, virtual network - same as the one in the storage account settings)
  • configured P2S settings (tunnel type - OpenVPN (SSL), authentication type - Microsoft Entra ID (with authentication settings as described in this article)
  • added the virtual network's GatewaySubnet under "Public network access" in the storage account's networking settings (and configured Service endpoint)
  • downloaded the VPN client settings and imported them in the Azure VPN Client
  • connected to the VPN through the client

But even then, after trying to open the blob container in the the storage browser, I'm still getting the same "This request is not authorized to perform this operation." error as in the lab.

What did I do wrong? Is it even doable at all, or was it just an AI hallucination?

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 9,325 Reputation points Microsoft External Staff Moderator
    2026-05-12T17:05:03.6633333+00:00

    Hi @ Jakub Śliwiński,

    Thanks for sharing the response.

    Please check the DNS resolution while connected to the VPN using the command below:

    Resolve-DnsName -Name ["Blob storage account FQDN name"] -DnsOnly

    If you are getting a Public IP instead of the Private Endpoint IP, please make sure to add the Storage Account Private Endpoint IP address and FQDN entry in your local hosts file.

    After updating the hosts file, disconnect the VPN and reconnect again. Then run the same command and verify the result. This time, you should receive the Private IP address of the Private Endpoint.

    Private Endpoint IP and FQDN
    enter image description here

    10.0.0.5    venkatstoragetestdemo.file.core.windows.net

    Local Host file configurations.

    enter image description here

    I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

    Please210246-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-05-11T19:47:50.2433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Access through a VPN gateway is possible, but only if the storage account is explicitly configured to allow the virtual network (and subnet) that the VPN clients connect into. Just having a VPN gateway and connecting to it is not enough.

    From the context, the key requirement is:

    • The storage account must have Public network access set to Enabled from selected virtual networks and IP addresses.
    • Under Virtual networks, the specific virtual network and subnet where the client’s IP is located must be added.

    In the working example from the context, access is restricted like this:

    1. Go to the storage account → Networking.
    2. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
    3. Select + Add existing virtual network.
    4. Choose the subscription, then the virtual network (for example, vnet-1) and the subnet that should have access (for example, subnet-private).
    5. Select Add, then Save.

    Only VMs (or clients) whose IPs are in that allowed subnet can mount or browse the storage account successfully. This is demonstrated when a VM in the allowed subnet can mount the file share, while a VM in a different subnet (subnet-1) receives mount error(13): Permission denied.

    Applied to the VPN scenario:

    • Point-to-site VPN clients must be assigned IP addresses from a range that is routed into a subnet of the virtual network.
    • The storage account must be configured to allow that virtual network + subnet combination.
    • Adding only the GatewaySubnet is not sufficient if the effective source IP of the client traffic is not in that subnet or if the storage account is not configured to trust the correct subnet.

    So, the scenario is doable, but the configuration must match this pattern:

    1. Ensure the P2S VPN address pool is integrated so that client traffic appears as coming from a subnet that can be selected in the storage account’s Networking blade.
    2. In the storage account, under Networking, add that virtual network and subnet (not just the gateway subnet) and save.
    3. Then, when connected via VPN, access to the storage account will succeed, just like from a VM in the allowed subnet.

    If the client IP is not effectively in an allowed subnet, the storage account will continue to return authorization errors even though the VPN connection itself is up.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.