Azure Storage Account access logs CallerIpAddress is showing Private IP Address

Hello @Apurva Pathak,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Thank you for your detailed description of the scenario and sharing the log snippets. Here’s some clarity on what’s happening:

When you access Azure Storage from within Azure using private connectivity options such as Service Endpoints or Private Endpoints, the traffic remains inside Azure’s internal network. In this case, Azure Storage logs the source IP as the private IP address of your VM or firewall, not the public IP. This is expected behavior because the connection never goes out over the public internet.

As a result, if you have configured your Storage account to allow access only from specific public IP addresses, it won't align with which IP is actually logged or used for access control when private connectivity is involved.

If you want Azure Storage to recognize and log your public IP for access control, you need to:

• Avoid using private connectivity options like Service Endpoints or Private Endpoints.
• Ensure your VM or firewall egresses traffic directly to the internet using its dedicated public IP.
• Whitelist this public IP in the Storage account’s firewall and virtual network settings.

Once set up this way, Azure Storage will log the public IP and enforce access based on IP allow-listing correctly.

Alternatively, if you want to keep using private connectivity for better security, here’s what to know:

• Access control happens using virtual network and subnet rules instead of public IP allow-listing.
• Azure Storage will always log the internal private IP of your VM or firewall.
• You must configure the Storage account firewall to allow the virtual network or subnet that your VM/firewall belongs to.

To verify whether you are hitting a private endpoint, you can run the command:

nslookup <yourstorageaccount>.blob.core.windows.net

If it resolves to a domain like privatelink.blob.core.windows.net, then you are using a private endpoint and the private IP logging is normal.

This behavior is by design and not a bug, as it improves security by isolating traffic inside Azure’s network when private connectivity is enabled.

Azure Storage Private Endpoints https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

Troubleshoot Azure Private Endpoint DNS issues https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

Configure network rules for Azure Storage https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-guide

Kindly let us know if the above helps or you need further assistance on this issue.

I’ve seen this before, and nothing is wrong with your logs. Azure shows the private IP because your VM is not actually reaching the storage account through the public internet. It is staying on the Azure backbone, so the storage account only sees the private source IP and blocks it.

To fix it, the traffic must really go out through a device that performs public SNAT. In other words, force the VM’s traffic through a firewall or NAT gateway that uses a true public IP, and make sure that device is actually translating the source address.

Once the traffic leaves the VNet with the real public IP, the storage account will see it correctly and your allow list will work.

Hi @Adam Zachary ,

The traffic is flowing through a Standard Public LB via Outbound rule, and this is one of the recommended ways of MS to achieve outbound connectivity. Also, the destination is in different Azure tenant, and it resolves with a Public IP.

Pre server of the same environments works perfectly fine, issue is only with the Prod box.

Any further suggestions on this would be very helpful.

The traffic is flowing through a Standard Public LB via Outbound rule, and this is one of the recommended ways of MS to achieve outbound connectivity. Also, the destination is in different Azure tenant, and it resolves with a Public IP.

Pre server of the same environments works perfectly fine, issue is only with the Prod box.

Any further suggestions on this would be very helpful.

Hello @Apurva Pathak,

Thanks for sharing the detailed steps. The issue you’re seeing happens because when Azure Storage traffic goes over Azure’s private backbone (using Service or Private Endpoints, or when outbound SNAT to a public IP doesn’t occur), Storage logs the VM’s or firewall’s private IP. This causes public IP allow-listing to fail, resulting in the 403 error.

To fix this and have Azure Storage recognize your public IP for allow-listing, please:

1. Ensure outbound traffic from your VM/firewall is NATed to your dedicated public IP. Using an Azure NAT Gateway is recommended for consistent egress IPs over Standard Load Balancer rules.
2. Remove any Service Endpoint or Private Endpoint on your subnet directing storage traffic privately so it goes through the public internet.
3. Confirm DNS for your storage endpoint resolves to the public Azure blob service by running:

   nslookup <yourstorageaccount>.blob.core.windows.net

4. Verify your VM’s effective public IP matches the IP allow-listed on your Storage firewall by running:

   curl https://api.ipify.org

If you prefer private connectivity with Private Endpoints, then use VNet and subnet rules for allow-listing instead of public IPs. In that case, Azure Storage will always log the private IP.

I’m happy to help compare your PROD and PRE environment setups such as NAT Gateway vs Standard Load Balancer, DNS, and routing to find why PROD behaves differently.

Helpful references:

Private DNS and Private Endpoint setup: Azure Private Endpoint private DNS zone values | Microsoft Learn

Using Private Endpoints with Storage: Use private endpoints - Azure Storage | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.