Share via

Internet Application Accessing Azure Storage Account SFTP over Private Endpoint

Taranjeet Malik 546 Reputation points
2025-04-28T10:53:24.0866667+00:00

Hi

We have the following requirement:

Azure Hybrid environment, with on-prem connected to Azure over an ExpressRoute connection. There's an Internet based application trying to access Azure Storage Account configured as SFTP server. The Storage Account is only accessible via Private Endpoint. The on-prem firewall NATs the Public IP (assigned to Firewall NIC and used by Internet application to initiate the connection to Storage Account) used by Internet Application to the private IP Address of the Storage Account. Along the way from the Internet to Azure, we have a set of on-premises firewalls. Next hop to on-prem firewall is the Cloud Router that connect the on-premises environment to Azure over ExpressRoute connection. Within Azure, after the ExpressRoute Gateway, there's an Azure Firewall running in Hub virtual network. The Azure Storage Account based SFTP has the Private Endpoint in a spoke virtual network. Here's the flow:

Internet Application--> Public IP of the Border Firewall--> NATs Public IP to Storage Account's Private IP) → Cloud router → ExpressRoute → Azure (via ExpressRoute Gateway) → Azure Firewall (Hub) → Spoke VNet with Private Endpoint for Storage Account (SFTP).

As the Azure Firewall is configured with the default route (0.0.0.0/0) set to Internet, but we want this application to access the Storage Account though the on-prem and over the ExpressRoute and not Internet, we've advertised the Public IP address (specific prefix) of the Internet application over the ExpressRoute.

Problem: The Internet application is failing to connect to SFTP although a TCP packet capture at on-prem firewall shows successful TCP handshake (response received from the Storage Account). Surprisingly, there are no connection attempts logged in Azure Firewall logs.

I would like to understand what's the best way to troubleshoot these types of issues, specifically, what tools can be used and where?

Looking at the symptoms, what could be the potential issues / areas to investigate?

Thanks

Taranjeet Singh

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,720 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 5,520 Reputation points Microsoft External Staff
    2025-04-28T13:49:40.3433333+00:00

    Hello Taranjeet Malik

    I understand that you were facing an SFTP access issue on your Storage Account via Private Endpoint from an Internet-based application over ExpressRoute.

    Since you mentioned no connection attempts are logged in Azure Firewall, the traffic might be bypassing it entirely. Please verify if the ExpressRoute Gateway is correctly forwarding traffic to the Azure Firewall and check if User-Defined Routes (UDRs) are forcing traffic away from the firewall. Also, double-check your Azure Firewall logging settings to ensure they are capturing the right information.

    You can run the below PowerShell command from your on-premises server or Internet-based application hosted on the server if you have access and let me know the result.

     Test-NetConnection -ComputerName <.privatelink.blob.core.windows.net> -Port 22

    For further assistance, please share the below details:

    • Can you confirm if the Private Endpoint resolves correctly using a DNS lookup from your on-prem network?
    • What specific rules do you have set up in Azure Firewall regarding this traffic?
    • Are there any additional virtual networks or resources that could be affecting this connection (like Network Security Groups)?
    • Have you checked the ExpressRoute if the routes are being advertised?
    • Are you able to connect to the Storage Account from any other clients in the same Virtual Network where the Private Endpoint is deployed?

    Can you please update us if the action plan provided by was helpful?

    Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.