Share via

Azure Firewall blocking access to Power BI blob storage endpoint despite Network Rule allowing Storage service tag

Ramadhas, Arun Chander 20 Reputation points
2025-09-18T11:45:10.2266667+00:00

Sub: Azure Firewall blocking access to Power BI blob storage endpoint despite Network Rule allowing Storage service tag

We have a Hub-Spoke topology with all VM traffic routed through Azure Firewall.

  • A SHIR VM in the hub subnet must access Power BI Dataflow blob storage (*.blob.core.windows.net).

NSG allows outbound Internet.

Route table on the VM subnet sends 0.0.0.0/0 → Azure Firewall private IP.

AzureFirewallSubnet has the system route 0.0.0.0/0 → Internet.

Azure Firewall has a Public IP.

Network Rule Collection (priority 205) is configured with Service Tag = Storage, Protocol = TCP, Port = 443, Action = Allow.

Application rules are not in use.

DNS resolution works — the blob hostname resolves to a Microsoft public IP.

Issue: From the SHIR VM, outbound HTTPS to the blob endpoint times out. Expected behavior is either a 403 Forbidden (no SAS token) or 200 OK, proving connectivity.

Question: Why does Azure Firewall still block/drop this traffic even though:

Egress route on AzureFirewallSubnet is Internet,

Firewall has a Public IP, and

A Network Rule with Storage service tag on TCP/443 is in place?

What additional configuration is required to allow SHIR VM → Power BI blob storage over port 443?We have a Hub-Spoke topology with all VM traffic routed through Azure Firewall.

A SHIR VM in the hub subnet must access Power BI Dataflow blob storage (*.blob.core.windows.net).

NSG allows outbound Internet.

Route table on the VM subnet sends 0.0.0.0/0 → Azure Firewall private IP.

AzureFirewallSubnet has the system route 0.0.0.0/0 → Internet.

Azure Firewall has a Public IP.

  • Network Rule Collection is configured with Service Tag = Storage, Protocol = TCP, Port = 443, Action = Allow.

Application rules are not in use.

DNS resolution works — the blob hostname resolves to a Microsoft public IP.

Issue:
From the SHIR VM, outbound HTTPS to the blob endpoint times out. Expected behaviour is either a 403 Forbidden (no SAS token) or 200 OK, proving connectivity.

Question:
Why does Azure Firewall still block/drop this traffic even though:

Egress route on AzureFirewallSubnet is Internet,

Firewall has a Public IP, and

A Network Rule with Storage service tag on TCP/443 is in place?

What additional configuration is required to allow SHIR VM → Power BI blob storage over port 443?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Answer accepted by question author
  1. Ravi Varma Mudduluru 2,690 Reputation points Microsoft External Staff Moderator
    2025-09-18T20:47:05.6033333+00:00

    Hello @Ramadhas, Arun Chander,

    Thanks for reaching out to Microsoft Q&A.

    I understand you're experiencing an issue with Azure Firewall blocking access to the Power BI blob storage endpoint, even though the Network Rule permits the Storage service tag.

    This behavior is expected, as Azure Firewall processes HTTPS traffic through Application Rules rather than Network Rules. The existing Network Rule with Service Tag = Storage is only applicable to protocols other than HTTP/S. To address this

    • To enable the SHIR VM to access the Power BI Dataflow Blob Storage endpoint, please create an Application Rule permitting HTTPS traffic to *.blob.core.windows.net.
    • It's recommended to use explicit FQDNs or FQDN tags rather than just service tags.
    • You may also want to set up Azure Private Link for more secure and reliable access.

    This allows HTTPS traffic from the SHIR VM to Azure Blob Storage, ensuring it is permitted and not dropped after the initial hop.

    I noticed in your comment that you mentioned having an application rule.

    Could you please check the destination configuration:

    • Does the Application Rule specifically include *.blob.core.windows.net or other Storage FQDNs?
    • If you’re using a broader Service Tag like Storage, keep in mind that Application Rules only support FQDNs or FQDN tags, not service tags.

    Supporting document:
    https://learn.microsoft.com/en-us/azure/firewall/rule-processing

    Customer has performed the below step to resolve the issue

    We identified a misroute where all Azure Storage traffic was being forced through the VPN gateway. After removing this route, the traffic is now reaching Microsoft Blob successfully without any issues. Thank you for your support.

    Please validate the above and let us know if you still face the issue, please provide the requested information in private message.

    Please "Accept the Answer" if the information helped you. This will help us and others in the community as well.

    0 comments
Answer recommended by moderator
  1. Ramadhas, Arun Chander 20 Reputation points
    2025-09-24T05:27:03.9866667+00:00

    Hi @RAVI VARMA MUDDULURU

    We identified a misroute where all Azure Storage traffic was being forced through the VPN gateway. After removing this route, the traffic is now reaching Microsoft Blob successfully without any issues. Thank you for your support.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.