I have a storage account setup with a private endpoint connect restricting access from all public networks. I then created a Point to site VPN to try and connect to the storage account from my local device.
But when I turn on the VPN I get an ip address from the subnet I defined in the vpn configuration. How do I add this private subnet to the allowed ip ranges of the storage account firewall?
Or I am looking in the wrong place to allow access to the storage account from via VPN?
If you are using private endpoint, the built in firewall doesn’t filter that traffic. The built in firewall is used to filter traffic on the public interface.
Do you have a solution in place for DNS resolution? You can’t connect to a storage account by IP, even on a private endpoint, you need to connect to mystorage.blob.core.windows.net.
Do an NSLookuo on your storage account. If you are still getting a public IP when connected via your VPN you need to solve the DNS resolution issue.
Given the simple scenario, I’m assuming there’s only 1 VNet, thus your VPN will be mapped to an IP address within the Gateway subnet. As long as the dedicated Private Endpoint subnet is within the same VNet, you should be able to reach it without further issues.
Once you have it configured, you can test/diagnose it with Network Watcher.
This is correct. You’ll need to solve DNS resolution through the VPN. Private DNS Resolver is the thing you’ll want to research.
No I don’t have any dns resolution in place, given then it’s point to site will a simple host file suffice?
Yes the vpn’s gateway subnet is on the same vent as the private endpoint but the client ip range is different to the two subnets on the vnet.
Yes, if you have a single, or a couple of users, you can use a host file.