Introduction

Azure Storage account firewall blocks access when trusted services not allowed. This guide provides step-by-step diagnosis and resolution.

Symptoms

Typical error output:

bash
Error: AccessDenied
This request is not authorized to perform this operation
Storage account 'mystorageaccount' firewall is blocking public network access

Common Causes

  1. 1.Firewall enabled but trusted Microsoft services not allowed
  2. 2.VNet private endpoint not properly configured
  3. 3.Missing network rule for client IP or subnet
  4. 4.DNS resolution issues with private endpoint

Step-by-Step Fix

Step 1: Check Current State

bash
az storage account show --resource-group MyRG --name mystorageaccount --query networkRuleSet
az storage account network-rule list --resource-group MyRG --account-name mystorageaccount
az network private-endpoint show --resource-group MyRG --name my-pe

Step 2: Identify Root Cause

bash
az monitor activity-log list --resource-group MyRG --status Failed

Step 3: Apply Primary Fix

```bash # Allow trusted Microsoft services az storage account update --resource-group MyRG --name mystorageaccount --allow-trusted-microsoft-services true

# Add VNet rule for access az storage account network-rule add --resource-group MyRG --account-name mystorageaccount --subnet <subnet-id> ```

Step 4: Apply Alternative Fix

```bash # Alternative fix: Check configuration az resource show --resource-group MyRG --name MyResource -o yaml

# Update specific properties az resource update --resource-group MyRG --name MyResource --set properties.<key>=<value>

# Verify the fix az resource show --resource-group MyRG --name MyResource --query properties.<key> ```

Step 5: Verify the Fix

bash
az storage account show --resource-group MyRG --name mystorageaccount --query networkRuleSet
az storage blob list --account-name mystorageaccount --container-name mycontainer

Common Pitfalls

  • Forgetting to check quota limits before resize operations
  • Not waiting for async operations to complete before next step
  • Missing RBAC permissions for Azure resource operations
  • Confusing subscription-level and resource-level quotas

Best Practices

  • Always check quota before provisioning new resources
  • Use Azure Resource Health for monitoring
  • Implement proper error handling in Azure CLI scripts
  • Enable diagnostic settings for all critical resources
  • Azure Subscription Quota Exceeded
  • Azure Resource Deployment Failed
  • Azure Network Connectivity Issues
  • Azure RBAC Permission Denied