locked
Storage Account: limit access to Virtual Network fails RRS feed

  • Question

  • When trying to limit access to a new storage account I get a deployment error: failed to save firewall and virtual network settings.

    I tried deleting and recreating the storage account, but it does not make a difference.  The issue occurs both in the Azure web portal and from a PowerShell Cloud Shell.  The PowerShel command to activate this does give an error regarding 'acls' (in lowercase, so ACLs).

    This seems to point at missing security rights, but I have full control over the subscription and even additionally added the Storage Account Contrinutor role to make sure I have access (also based on the guidance in Azure Docs). All to no avail.

    The virtual network subnet has service point connections enabled. Storage Account and Virtual Network are in two different Resource Groups.

    Any pointers on why this occurs are welcome. Thanks!

    Tuesday, May 29, 2018 6:50 PM

Answers

  • I'm having exactly same issue, I can non longer either edit existing "Firewall and virtual network" settings or add new one from both portal and arm template in West Europe.

    Looks like a problem on Azure site.

    Have following errors:

    Portal:

    Failed to save firewall and virtual network settings for storage account 'mxxxxxxxxxxxx'. Error: There was an error processing your request. Try again in a few moments.

    Arm Template:

    New-AzureRmResourceGroupDeployment : 12:35:37 - Resource Microsoft.Storage/storageAccounts 'mxxxxxxxxx' failed with message '{
      "error": {
        "code": "NetworkAclsValidationFailure",
        "message": "Validation of network acls failure: InvalidRequestFormat:Cannot parse the request.."
      }


    • Edited by RafalH Wednesday, May 30, 2018 12:30 PM
    • Edited by Sandeep BR Wednesday, May 30, 2018 2:01 PM Personal information hided
    • Marked as answer by Wim Borgers Thursday, May 31, 2018 9:14 AM
    Wednesday, May 30, 2018 11:50 AM

All replies

  • Can you try to save storage account and virtual network in same resource group and let us know the result. Its good to share the error code (Power Shell/cloud shell) for better understanding also in which location you are facing this issue? Are you configured any naming convention policy applied to the resource group where the storage is deployed?

    Tuesday, May 29, 2018 8:52 PM
  • There are no naming convention policies present. Moving the storage account into the same resource group as the network does not make a difference.  If I use the guidance from:

    https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

    and execute:

    $subnet = Get-AzureRmVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzureRmVirtualNetworkSubnetConfig -Name "mysubnet"

    Add-AzureRmStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id

    Then the error is:

    Add-AzureRmStorageAccountNetworkRule : Validation of network acls failure: InvalidRequestFormat:Cannot parse the request..
    At line:1 char:1
    + Add-AzureRmStorageAccountNetworkRule -ResourceGroupName XXXXXXX ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Add-AzureRmStorageAccountNetworkRule], CloudException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.AddAzureStorageAccountNetworkRuleCommand

    Location is West Europe. Thanks for taking the time to look into this



    • Edited by Wim Borgers Wednesday, May 30, 2018 8:00 AM
    Wednesday, May 30, 2018 7:51 AM
  • I'm having exactly same issue, I can non longer either edit existing "Firewall and virtual network" settings or add new one from both portal and arm template in West Europe.

    Looks like a problem on Azure site.

    Have following errors:

    Portal:

    Failed to save firewall and virtual network settings for storage account 'mxxxxxxxxxxxx'. Error: There was an error processing your request. Try again in a few moments.

    Arm Template:

    New-AzureRmResourceGroupDeployment : 12:35:37 - Resource Microsoft.Storage/storageAccounts 'mxxxxxxxxx' failed with message '{
      "error": {
        "code": "NetworkAclsValidationFailure",
        "message": "Validation of network acls failure: InvalidRequestFormat:Cannot parse the request.."
      }


    • Edited by RafalH Wednesday, May 30, 2018 12:30 PM
    • Edited by Sandeep BR Wednesday, May 30, 2018 2:01 PM Personal information hided
    • Marked as answer by Wim Borgers Thursday, May 31, 2018 9:14 AM
    Wednesday, May 30, 2018 11:50 AM
  • As you could do it in the past, and now have the same issue, it does seem like an issue indeed. I will try to log it with Azure later today.

    A similar config for an Azure SQL database was accepted fine. So it is limited to Storage Accounts.

    Wednesday, May 30, 2018 11:54 AM
  • I opened a support case this morning, then tried it one last time.... and it suddenly did work... 

    Note to self: always test again before you register a ticket. :-)

    Thanks for your feedback RafalH. Seemed to be an Azure issue indeed. Glad it works now.


    Thursday, May 31, 2018 9:14 AM
  • ok works for me today I guess it was fixed
    Thursday, May 31, 2018 11:46 AM
  • Glad to know that your issue got fixed

    Tuesday, June 5, 2018 7:35 PM