I am moving some resources behind a virtual network to improve security. I have a storage account that has been disabled from public networks but that is connected to a virtual network. I have setup a CDN that has been able to connect to a blob container and display images stored there. At the moment, I can't connect to the blob container from my local machine using the Azure Storage Explorer or the Azure portal. I have tried setting up an Azure VPN Gateway using a point to site connection but I still receive the following error:
This request is not authorized to perform this operation.> This storage account's 'Firewalls & virtual networks' settings may be blocking access to storage services. Try adding your client IP address to the firewall exceptions, or by allowing access from 'all networks' instead of 'selected networks'.
As a last resort, I can whitelist my IP address and everything works. However, there are other people that require access from their local machines and this is not a sustainable solution. Is there a setting that the VPN requires in order to connect to the storage account? Will this approach work if I move some Azure SQL databases to the same virtual network?
It sounds like you are going to need a Private Endpoint - basically a NIC dedicated to each resource, or in the case of the storage account or similar resource, a specific service of the resource. Using these for storage accounts and Azure SQL is well-documented, they will work just fine with the Azure VPN gateway assuming your DNS is configured correctly. Mis-configuration of DNS is by far the most common issue with Private Endpoints. More details here: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview If you do decide to go Private Endpoint don't hesitate to ask any followup questions.
One point for you to consider - do you really need this to enhance security? For the storage account, you can disable key access and use identity-based access, and for Azure SQL you can accomplish basically the same thing by disabling local SQL authentication. There are at least two other negatives with private endpoints (1) they cost about $7/month per endpoint and they substantially complicate any infrastructure as code or CICD you are doing or may wish to do in the future.