I've set up an Azure Data Lake Gen2 storage account with SFTP service enabled, allowing public networking only from specific whitelisted IPs. We have also created a private endpoint for our virtual machines and resources within our private network. The vendor gave us an IP address which we whitelisted, but their SFTP connection attempts are failing. Our logs show that the attempted connections are coming from a private RFC 1918 IP, which is completely different from any of the address spaces we use. I find it confusing because the actual connecting IP is from their infrastructure in Azure, and there are no direct connections, peering, or VPNs between our networks. Can someone help me understand why this is happening?
4 Answers
Don't forget about service endpoints! They could be influencing how the connection is being routed.
Try running a traceroute back to their IP. It might help you see if there's an issue with the route tables along the path to the connection.
Could the problem be related to a route table? Maybe they're using a private network interface from their VM, which is messing things up.
It looks like the vendor is trying to connect from a virtual network that’s in the same Azure region as your storage account, and they probably have a service endpoint for storage enabled. Azure does some strange things sometimes, which can lead to this kind of issue.
Interesting point! Now that you mention it, I remember running into something similar in our own subscription. Are there other quirks like this that I should keep an eye on?
Absolutely, I've experienced a similar issue before. I wasn't able to change anything on the vendor's side, so I had to redeploy the storage account to a different region. Just remember, you can't use the paired region either.