AzCopy with private endpoint and VPN Tunnel from on premise says certificate is not valid
I'm trying to use AzCopy to move a local file to a blob storage.
I've written this code to that purpose.
$localFilePath = "C:\Code\AzCopy\testfile.bak"
$containerUrl = "https://storageaccountname01.privatelink.blob.core.windows.net/databasebackups"
$sasToken = "sv=2024-01-01&ss=bfat&srt=aa&sp=sds3sdd&se=2026-19-01T21:50:38Z&st=2025-15-12T13:50:38Z&spr=https&sig=thisisnotrealandonlytofoolyou%3D"
$today = (Get-Date).ToString("yyyy-MM-dd")
$destinationUrl = "$containerUrl/$today/$(Split-Path -Leaf $localFilePath)?$sasToken"
Start-Process "./azcopy" -ArgumentList @(
"copy",
$localFilePath,
$destinationUrl,
"--overwrite=true",
"--from-to=LocalBlob",
"--trusted-microsoft-suffixes=storageaccountname01.privatelink.blob.core.windows.net;*.privatelink.blob.core.windows.net;privatelink.blob.core.windows.net",
"--log-level=debug"
) -NoNewWindow -Wait
It does not work, and gives the following error
Put "https://storageaccountname01.privatelink.blob.core.windows.net/databasebackups/2025-05-12%2Ftestfile.bak?se=2025-05-12T20%3A07%3A15Z&sig=-REDACTED-&sp=-REDACTED-&spr=https&srt=c&ss=bfqt&st=2025-05-12T12%3A07%3A15Z&sv=2024-11-04": tls: failed to verify certificate: x509: certificate is valid for *.blob.core.windows.net, *.gvx01prdstr02a.store.core.windows.net, *.blob.storage.azure.net, *.z1.blob.storage.azure.net, *.z2.blob.storage.azure.net, *.z3.blob.storage.azure.net, *.z4.blob.storage.azure.net, *.z5.blob.storage.azure.net, *.z6.blob.storage.azure.net, *.z7.blob.storage.azure.net, *.z8.blob.storage.azure.net, *.z9.blob.storage.azure.net, *.z10.blob.storage.azure.net, *.z11.blob.storage.azure.net, *.z12.blob.storage.azure.net, *.z13.blob.storage.azure.net, *.z14.blob.storage.azure.net, *.z15.blob.storage.azure.net, *.z16.blob.storage.azure.net, *.z17.blob.storage.azure.net, *.z18.blob.storage.azure.net, *.z19.blob.storage.azure.net, *.z20.blob.storage.azure.net, *.z21.blob.storage.azure.net, *.z22.blob.storage.azure.net, *.z23.blob.storage.azure.net, *.z24.blob.storage.azure.net, *.z25.blob.storage.azure.net, *.z26.blob.storage.azure.net, *.z27.blob.storage.azure.net, *.z28.blob.storage.azure.net, *.z29.blob.storage.azure.net, *.z30.blob.storage.azure.net, *.z31.blob.storage.azure.net, *.z32.blob.storage.azure.net, *.z33.blob.storage.azure.net, *.z34.blob.storage.azure.net, *.z35.blob.storage.azure.net, *.z36.blob.storage.azure.net, *.z37.blob.storage.azure.net, *.z38.blob.storage.azure.net, *.z39.blob.storage.azure.net, *.z40.blob.storage.azure.net, *.z41.blob.storage.azure.net, *.z42.blob.storage.azure.net, *.z43.blob.storage.azure.net, *.z44.blob.storage.azure.net, *.z45.blob.storage.azure.net, *.z46.blob.storage.azure.net, *.z47.blob.storage.azure.net, *.z48.blob.storage.azure.net, *.z49.blob.storage.azure.net, *.z50.blob.storage.azure.net, not storageaccountname01.privatelink.blob.core.windows.net
I've tried to get around this with the --trusted-microsoft-suffixes paramater but nothing seems to work.
I can access other resources using the VPN tunnel so the tunnel and routing is there and working. Can this be symptom of something else? Would I see this error if a firewall is blocking me along the way?
DNS is also working and i see the proper private IP when i ping the FQDN of the storage account.
Using AzCopy to move a local file to a blob storage.
The TLS error occurred because the address privatelink.blob.core.windows.net does not match the certificate that Azure provides.
I had used the public blob endpoint .blob.core.windows.net instead of the private FQDN.
Even when accessed over a VPN and Private endpoint, using the public FQDN works correctly because DNS is set up to point it to the private IP.
Used the below PowerShell Script
$localFilePath = "<Your local file path>"
$containerUrl = "https://<Your storage account Name>.blob.core.windows.net/<YourContainerName>"
$sasToken = "<Your SAS Token>"
$today = (Get-Date).ToString("yyyy-MM-dd")
$destinationUrl = "$containerUrl/$today/$(Split-Path -Leaf $localFilePath)?$sasToken"
azcopy copy `
$localFilePath `
$destinationUrl `
--overwrite=true `
--from-to=LocalBlob `
--log-level=debug
Output:
INFO: Scanning...
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support
Job 43a42875-ea8f-6240-5123-88c4fd405f5a has started
Log file is located at: C:\[path hidden for privacy]\43a42875-ea8f-6240-5123-88c4fd405f5a.log
100.0 %, 1 Done, 0 Failed, 0 Pending, 0 Skipped, 1 Total, 2-sec Throughput (Mb/s): 0.0003
Job 43a42875-ea8f-6240-5123-88c4fd405f5a summary
Elapsed Time (Minutes): 0.0334
Number of File Transfers: 1
Number of Folder Property Transfers: 0
Number of Symlink Transfers: 0
Total Number of Transfers: 1
Number of File Transfers Completed: 1
Number of Folder Transfers Completed: 0
Number of File Transfers Failed: 0
Number of Folder Transfers Failed: 0
Number of File Transfers Skipped: 0
Number of Folder Transfers Skipped: 0
Total Number of Bytes Transferred: 73
Final Job Status: Completed
uploaded the file successfully
- Re-send dead letter message in Azure Bus
- How to do random sampling of rows in Synapse Analytics serverless SQL pool?
- How to skip admin approval for external users in an Entra ID multi-tenant application
- Bicep How to use external file to be used in Deployment Script?
- Insufficient Privileges error when retrieving AD User's Entra ID from Microsoft Graph API using email address
- What is the correct way to set a cookie expiration when using Azure AD to login users to an ASP.NET Core 5 Web Application?
- How can I Parse Json in a Azure Function
- Alchemy Websockets: Can't host server on Azure
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- I need to use some query results in an alert email notification in Azure ApplicationInsights
- Azure DevOps Pull work items in tree level in Excel
- Azure Event Hubs to share specific partitions with specific consumer groups
- Azure AD B2C vs Microsoft Entra External ID
- How to query OAuth2 permission grants for service principals in Entra ID using Microsoft Graph PowerShell
- How to get the app role's value given an app role ID in Entra ID using Microsoft Graph Powershell?
- How to list all directory extension definitions within an Entra ID tenant?
- How to get error message from action in Logic App
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Mobile App using existing database that has identity column not called id
- Devops self hosted agent - submodule checkout SSH host key verification failed
- How can I read a XML file Azure Databricks Spark
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Azure windows VM extensions are provisioning failed state VM agent is "Ready" but Backup failed at VM running State GuestAgentSnapshotTaskStatusError
- Android scheme not accepted by IOS when submitting react-native app through Expo EAS
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Access Azure DevOps Artifact Feed from different organization
- Duplicate record handling with Azure Data Explorer
- File upload fails with 413 Request Entity Too Large in Azure app service but not while running locally
- Azure Tables: best practices for choosing partition/row keys
- Access Denied when accessing Azure Key vault from Azure Functions