Unable to connect to private endpoint for file service

Question

Unable to connect to private endpoint for file service

Apurva Pathak 795

Hello folks,

I have a private endpoint deployed for storage file share, and I'm trying to connect to the PE from another Vnets.

Same PE is reachable from other VMs deployed in other Vnets.
I have enabled Network Policy for both NSG and the Route Tables in the PE's subnet.
NSGs applied on PE's subnet allow traffic from Vnet to Vnet (Default rules).
Source VMs doesn't have any OS Firewall enabled or NSG applied.

Weirdest part is, there is a VM in the subnet of the PE, and I'm able to connect to that VM, but not the PE.

PFB snips/details for reference:

PE details:

{39FB7D28-99AD-4FCE-A88F-1089D692E549}

Source VM NSG:

{0F89AADC-D694-414F-B94A-906FE14B7620}

Destination PE NSG:

{7D1B7576-ADEC-404C-9AA2-0E5952CDE984}

Can someone please help me.

Thanks in advance!

3 answers

Your answer

Answer 1

Vinodh247 37,216 MVP Volunteer Moderator

Hi ,

Thanks for reaching out to Microsoft Q&A.

Here is the simpler explanation of what is happening.

Your Private Endpoint subnet has Private endpoint network policy set to Enabled.

When this is enabled, the NSG rules on that subnet apply to the Private Endpoint.

By default, cross VNet traffic to the Private Endpoint will not be allowed unless you explicitly add a rule for it.

That is why the VM in the same subnet works (local traffic is fine) but the VM in another VNet cannot connect.

2 easy ways you can try to fix it:

Simplest option > Go to the subnet where the Private Endpoint is placed and set Private endpoint network policy to Disabled. This makes the Private Endpoint work without needing special NSG rules.
If you want to keep it Enabled > In the NSG for the PE subnet, add an inbound rule that allows traffic from the other VNet’s IP range to the PE’s private IP on port 445 (azure Files).

The easiest and most common approach is to disable the network policy for that subnet.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Apurva Pathak 795 Reputation points

2025-08-15T07:40:46.4766667+00:00
Thanks for your explanation @Vinodh247

I've tried both the ways but neither worked for me. PFB snips for reference.

Allow NSG rule for Inbound traffic (PE's subnet NSG). Test-NetConnection results from Source VM.

Disable Security in the PE's Subnet

Also, the same PE is reachable from other VMs in the network.

Thanks again for your time!
Vinodh247 37,216 Reputation points MVP Volunteer Moderator

2025-08-15T13:11:03.3566667+00:00

from your symptoms, especially that other VNets work fine, this almost certainly smells like the VNet of the problematic VM is not linked to the Private DNS zone or is resolving to a public endpoint.
Apurva Pathak 795 Reputation points

2025-08-15T14:57:43.0166667+00:00

I can confirm that's not a DNS issue as the source VM is able to resolve the private IP of the PE correctly. Pasting a snip below for reference.
Apurva Pathak 795 Reputation points

2025-08-21T08:29:35.9766667+00:00

Hi @Vinodh247 ,

Thanks a lot for the detailed steps but what if there is and UDR redirecting 0.0.0.0/0 to an NVA not applied to destination PE's subnet but to the source VM.

I'm pasting a diagram below, which may help in understanding the traffic flow and mapping of different devices.

Below is flow of traffic from my source VM to the destination.

Please note that a VM which is in the same subnet of the PE is reachable from the source VM.

Source and Destination both are under spoke Vnets of different Hubs, and have no direct peering. Hub of both devices are peered with each other.

Source VM --> Source VM NVA --> Source VM Hub Vnet GW --> Destination PE Vnet Hub Vnet GW --> Destination (working) VM/ (non-working) PE

Traffic at NVA and NSG are all allowed to flow internally.
Ravi Varma Mudduluru 410 Reputation points Microsoft External Staff Moderator

2025-08-21T18:28:10.3133333+00:00
Hello @Apurva Pathak,

Hope you're doing well!

Thank you for the detailed response

According to my knowledge, the traffic from your source spoke is routed to the NVA due to the 0.0.0.0/0 UDR. The direction is as follows: source spoke → NVA→ hub → destination spoke. When the destination spoke VM associates, it does so because the incoming (return) traffic is routed over the same NVA path. But the Private Endpoint (PE) doesn’t necessarily take that same route because as a design, Azure PEs use system routes unless there is something that overrules them. So, that means the PE more often than not routes incoming (return) traffic directly over the Vnet peering -> source spoke (with no NVA in between) and that is why the TCP 445 test is failing.

Can you please review the following recommendations and let me know if these steps work?

Try bypassing the NVA only for the Private Endpoint (PE) by adding a more specific 0.0.0.0/32 route that uses the PE’s IP in the source subnet route table. Set the next hop to Virtual Network. This will ensure that traffic to the PE goes directly through VNet peering, bypassing the NVA.

If the connectivity test succeeds after making this change, it confirms that the NVA path is the issue.

However, note that with this setup, the NVA will not be able to inspect that specific flow.

Verify DNS resolution to ensure that the source VM is resolving the FQDN of the PE to its Private IP. If not already configured, use an Azure private DNS zone and link it to the source VNet.

If you need the NVA to inspect the traffic, you must also force return traffic from the PE to go through the NVA. To do this, attach a UDR to the PE subnet pointing to the NVA (or hub gateway). Additionally, enable “Allow forwarded traffic” on the VNet peering and make sure the NVA allows TCP 445 while avoiding SNAT for the flows.

Supporting documents:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-nva?tabs=portal

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/connectivity/files-troubleshoot?tabs=powershell#cause-4---the-client-pc-cannot-route-traffic-to-the-azure-file-shares-private-endpoint

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#networking-considerations

Kindly let us know if the above helps or you need further assistance on this issue.

Please " up vote" if the information helped you. This will help us and others in the community as well.

Thanks & Regards
M Ravi Varma
Apurva Pathak 795 Reputation points

2025-08-22T10:59:45.68+00:00
Hi @Ravi Varma Mudduluru ,

Thanks for your comments!

As suggested above, I tried:

Created a specific URD at source VM to send traffic destined to PE's IP to Vnet.

Enabled the UDR & NSG security controls in the subnet of the destination PE. But unfortunately, result is still the same :(
Ravi Varma Mudduluru 410 Reputation points Microsoft External Staff Moderator

2025-08-22T13:05:06.4333333+00:00

Hello @Apurva Pathak,

Thanks for the Update.

Could you please confirm your requirement regarding traffic flow?

1)Do you require all traffic (including access to the Private Endpoint) to continue passing through the NVA/hub for inspection and compliance?

2)Is it acceptable for this specific Storage Private Endpoint traffic to bypass the NVA and instead transit directly over spoke-to-spoke peering?
Apurva Pathak 795 Reputation points

2025-08-22T13:36:08.5066667+00:00

Hi @Ravi Varma Mudduluru ,

Either of them is acceptable for me :)
Ravi Varma Mudduluru 410 Reputation points Microsoft External Staff Moderator

2025-08-22T18:18:48.9533333+00:00

Hello @Apurva Pathak,

Thanks for the confirmation

Could you please review the private message, follow the steps I shared, and confirm whether they resolve the issue?
Apurva Pathak 795 Reputation points

2025-08-23T16:21:33.0566667+00:00

Thanks Ravi, I've replied to your message.

Answer 2

Hello @Apurva Pathak,

Hope you're doing well! Thanks for the update.

I tested this in my lab by creating the storage account and private endpoint in East US and running the test from West US 2, and it worked fine. I’ve attached a screenshot with my results. Please check if both your working and failing VMs return the same output.

Please follow the steps below for the Client VM.

1.Please verify the DNS resolution, it should resolve to the Private Endpoint’s private IP of your resource.

nslookup storage account .file.core.windows.net

User's image

If the DNS resolves correctly but TCPTestSucceeded fails, then the issue is likely related to routing or peering.

Test-NetConnection storage account.file.core.windows.net -Port 445

User's image

3.Please check the effective routes on the NIC and confirm that a route to 10.x.x.0 (PE private IP) exists via VirtualNetwork. In my screenshot, it shows as an interface endpoint because I didn’t create the VM in the same region as the Private Endpoint. Since you have VMs on both sides, the route should appear via VirtualNetwork in your case.

az network nic show-effective-route-table \   --name <CLIENT_VM_NIC_NAME> \   --resource-group <CLIENT_RG> \   -o table

Run the following command on both VMs (Client VNet and PE VNet):

az network vnet peering list --resource-group <RG_NAME> --vnet-name <VNET_NAME> -o table

User's image

Make sure the settings are as follows:

"allowVirtualNetworkAccess": true
"allowForwardedTraffic": true (required if there’s a UDR or firewall in the path)

Traffic must be enabled in both directions. Please refer to the screenshot below for guidance

Please verify the DNS zone links.

az network private-dns zone list -o table

Locate your privatelink.file.core.windows.net zone, then run:

az network private-dns link vnet list   --resource-group <RG_NAME>  --zone-name privatelink.file.core.windows.net   -o table

User's image

Ensure that the failing VM’s VNet is properly linked to the Private DNS zone. Refer to the screenshot below for reference.

6)Please review the storage account firewall rules.

az storage account network-rule list  --account-name <STORAGE_ACCOUNT_NAME>   --resource-group <RG_NAME>  -o table

az storage account show \ --name mystoragesep1908 \ --resource-group RGAUG19 \ --query "networkRuleSet" \ -o json

User's image

Check for:

"defaultAction": "Allow" → Storage is accessible from all networks.
"defaultAction": "Deny" → Only the VNets/Private Endpoints listed are allowed.

Important: For a Private Endpoint (PE) scenario, the expected configuration is:

defaultAction = Deny
Network rules must include your Private Endpoint.
Ensure the VNet/subnet with your Private Endpoint is listed.

In my setup, I allowed all networks, so I see an empty list ([]).

User's image

Please follow the steps below for the target VM (PE’s Subnet/VNet).

Since I haven’t created a route table, I’m only providing the command:

1.Check PE Subnet Network Policy

You already confirmed that Private endpoint network policy = Disabled.
No further changes are required here.

Verify the subnet’s route table using:

az network route-table show    --name <ROUTE_TABLE_NAME>   --resource-group <RG_NAME>   -o table

Ensure that no UDR is redirecting 0.0.0.0/0 or 10.0.0.0/8 to a firewall or NVA.

3.Please check the VNet peering from PE VNet to Client VNet:

az network vnet peering list \   --resource-group <PE_RG> \   --vnet-name <PE_VNET_NAME> \   -o table

It must show "allowVirtualNetworkAccess": true (as noted in Step 4).

If you run all the above commands for both the working VM and the failing VM. Compare the results side by side.

If you find differences in the Effective Routes or DNS zone links, that is causing the issue

If the Client VM resolves to the PE private IP but port 445 fails: DNS is working correctly and the issue lies with Routing, NSG, or Peering

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 3

Apurva Pathak 795

I was able to dig down the root cause. Below are the details:

The destination Hub Vnet had a UDR applied at its GatewaySubnet for the traffic destined to the address space of my source VM. But there was no UDR applied at the Subnet of my Source VM which was causing the asymmetric routing.

I removed the UDR from the GW Subnet and the issue was fixed.

Thanks a lot everyone who gave their precious time and efforts to this.

Share via

Unable to connect to private endpoint for file service

3 answers

Your answer