locked
create a private endpoint for a storage account (which is in a different tenant and subscription) RRS feed

  • Question

  • Hello everyone.

    When trying to create a private endpoint for a storage account (which is in a different tenant and subscription) we received this error:

    Operation name: Create or update an private endpoint.

    Error code: GatewayAuthenticationFailed

    Message: Gateway authentication failed for 'Microsoft.Network'. Diagnostic information: timestamp '20191118T163815Z', tracking id 'b43f042c-b6c1-4611-ac5c-65e1ff4b7db1', request correlation id 'b43f042c-b6c1-4611-ac5c-65e1ff4b7db1'.

    According to this documentation:
    https://docs.microsoft.com/en-us/azure/private-link/private-link-faq

    Can Private Endpoint connect to Private Link service across Azure Active Directory Tenants?
    Yes. Private endpoints can connect to Private Link services or Azure PaaS across AD tenants.

    Unfortunately the existing documentation in https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal or in https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell describes how to create a private endpoint for an Azure Storage Account or for an Azure SQL Database Server respectively BUT in the same tenant and NOT when the Azure PaaS service is in another tenant.


    • Edited by David Talet Friday, November 29, 2019 12:42 PM
    Wednesday, November 20, 2019 7:10 PM

Answers

  • Hello David,

    We've looked into your problem and it seems to be a bug. You're the first person to report this, so thank you!. We are sorry to keep you waiting for the fix with no ETA. Our development team will start working on this hotfix. Meanwhile please stay tuned! Thank you for your patience and understanding!

    Regards,
    Subhash


    Thursday, December 19, 2019 10:14 AM

All replies

  • I received the same error when trying from the portal, and a slightly different error when trying via PowerShell. 

    I am following up now to see if this is supported, and to get the correct steps. 

    Wednesday, November 20, 2019 11:48 PM
  • Thank you very much!

    Please let us know as soon as you know if this is really supported or not and if it is, then how to proceed.

    Regards,

    David

    Thursday, November 21, 2019 8:22 AM
  • Appreciate your patience. Yes. Private endpoints can connect to Private Link services or Azure PaaS across AD tenants. You must use approval workflow here to establish this connection. Here is the document for your reference. 
    The private endpoint needs to be create using the manual mode, here the UI for portal:

    Then approved by the Storage owner using Private Link Center or Storage resource manage on Private Endpoint Connections section.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.
    _______________________________________________________________________
    Best regards
    Subhash



    Tuesday, November 26, 2019 8:12 AM
  • Hello SubhashVasarapu-MSFT

    yes this is exactly how I do it, using the manual mode and specifiying the resourceId of the storage account.

    But the error appears.

    Operation name: Create or update an private endpoint.

    Error code: GatewayAuthenticationFailed

    Message: Gateway authentication failed for 'Microsoft.Network'. Diagnostic information: timestamp '20191118T163815Z', tracking id 'b43f042c-b6c1-4611-ac5c-65e1ff4b7db1', request correlation id 'b43f042c-b6c1-4611-ac5c-65e1ff4b7db1'.

    I cannot attach images because my account is not verified. How can I send you some images showing you my steps and the error message?

     
    • Edited by David Talet Tuesday, November 26, 2019 9:28 AM
    Tuesday, November 26, 2019 9:04 AM
  • Here is a Technet blog explaining How to Verify Your MSDN/TechNet Forums Account So that You Can Post Images and Links.

    Regards,
    Subhash


    Tuesday, November 26, 2019 10:14 AM
  • Ok. Thank you.

    I have asked to have my account verified. As soon as I have it I will post the images here for you to see.

    Regards,

    David Talet

    Tuesday, November 26, 2019 10:41 AM
  • Hello SubhashVasarapu-MSFT

    Here you are the images and the error i'm getting when I try it.

    Friday, November 29, 2019 12:45 PM
  • Hello David,

    Appreciate your patience.
    Is this issue got resolved? or are you looking for some help? Please let us know so that we can dig in to it for further analysis.

    Regards,
    Subhash


    Wednesday, December 4, 2019 4:49 AM
  • Hello SubhashVasarapu-MSFT

    No, the issue is still there.

    I posted here the images showing my steps to configure it and the error. Didn't you see them?

    Regards,

    David

    Wednesday, December 4, 2019 8:15 AM
  • I have gone through your issue earlier and faced the same issue while reproducing it. It looks like a bug and it has been reported with the back-end team. I will revert back to you with the resolution soon. 
    Wednesday, December 4, 2019 11:33 AM
  • Thank you very much! SubhashVasarapu-MSFT

    Please let me know as soon as possible.

    Regards,

    David Talet

    Wednesday, December 4, 2019 11:51 AM
  • Hello David,

    This will require some deeper analysis. Can you please file a support request @ https://aka.ms/azsupt? If you do not have access to a support plan, please reach out @ AZCommunity@microsoft.com with a link to this Issue as well as your subscription ID and we can help get the support ticket opened for this issue.

    Regards,

    Subhash


    Friday, December 6, 2019 10:58 AM
  • Hello SubhashVasarapu-MSFT

    I have just sent a message to AZCommunity@microsoft.com for this issue.

    Regards,

    David Talet

    Monday, December 9, 2019 8:58 AM
  • Hello,

    Is this issue got resolved? or are you looking for some help? Please let us know so that we can dig in to it for further analysis.

    Regards,
    Subhash
    Tuesday, December 10, 2019 12:56 PM
  • Well support ticket is now open and they are looking into this error.

    So for now it is not resolved.

    Regards,

    David

    Tuesday, December 10, 2019 2:16 PM
  • Can you post the Support Request number (SR#) of your ticket?
    Wednesday, December 18, 2019 12:23 AM
  • Yes, it's 119120922000908

    Regards,

    David

    Wednesday, December 18, 2019 8:25 AM
  • Hello David,

    We've looked into your problem and it seems to be a bug. You're the first person to report this, so thank you!. We are sorry to keep you waiting for the fix with no ETA. Our development team will start working on this hotfix. Meanwhile please stay tuned! Thank you for your patience and understanding!

    Regards,
    Subhash


    Thursday, December 19, 2019 10:14 AM
  • Thank you Subhash.

    I'm glad that you found the problem. 

    Regards,

    David Talet

    Thursday, December 19, 2019 10:58 AM
  • I am seeing the exact same problem.  Tried it with portal and az cli

    I was skeptical of how the links get created without any sort of AAD federation between tenants.

    The docs are also not clear on which side does what.. i.e.

    If I have a storage account, and I need to grant access to a business partners PaaS service running in another tenant... I would think, the order of steps would be

    1) I provide business partner the resource id of my storageaccount

    2) business partner executes these steps on their portal and select the VNET on which their service runs, & provides resource id of my storage account

    2) Who gets to approve the connection? I think it would be me, as the business partner is trying to access MY AZURE resources,

    Sunday, February 2, 2020 9:20 AM
  • I hit a similar issue (same error) when attempting to create a private link inside the same subscription as the storage account.  In my case, the issue was being caused by an Azure "policy" to which limited which vnet a Network interface could be attached.  Exempting the resource group of the new private link from the policy resolved the issue.  
    Tuesday, June 9, 2020 8:39 PM