Access cross tenant Storage Account (firewall protected) from Az Synapse (dedicated SQL pool) in a different tenant

Question

. 。 Answers to this question are eligible for a +50 reputation bounty. Subha_26 wants to to this question: 这个问题：

Still facing this issue and looking for a solution

I have a Az Synapse (dedicated SQL pool) configured with managed VNet in tenant A and storage account in tenant B. The storage account is firewall protected and only certain VNets and IPs can access it. I want to created external tables from the Az synapse and hence, access the Storage account residing in the other tenant.

I have created a private endpoint on the storage account using Az synapse and the necessary IAM roles are in place. The external table is created and I can retrieve the data when the firewall on storage account is lifted.

However, when the storage account firewall is enabled, I get the following error:

Msg 105019, Level 16, State 1, Line 1
External file access failed due to internal error: 'Error occurred while accessing HDFS: Java exception raised on call to HdfsBridge_IsDirExist. Java exception message:
HdfsBridge::isDirExist - Unexpected error encountered checking whether directory exists or not: AbfsRestOperationException: Operation failed: "This request is not authorized to perform this operation.", 403, HEAD, https://miciteuddxdevsadtl001.dfs.core.windows.net/ddxdatabrickstest/?upn=false&action=getAccessControl&timeout=90'

Please help

Answer 1

You can retrieve the data when the firewall on storage account is disabled. It shows There is an issue with Role assignment.

You need to make sure User is assigned with Storage Blob Data Contributor role to the service principal.

Also make sure you whitelist IP address.

Reference - https://docs.microsoft.com/en-us/answers/questions/648148/spark-pool-notebook-error.html

Answer 2

Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.*

* Configure Azure Storage firewalls and virtual networks

You mention your firewall is configured to allow only certain VNets & IPs. You might need to elaborate for us on what your rules are specifically, but the documentation is very clear on how this is configured when accessing the storage account from another tenant.

AZ CLI:

az storage account network-rule add -g myRg --account-name mystorageaccount --subnet $subnetId

Az Powershell:

Add-AzStorageAccountNetworkRule -ResourceGroupName "myRg" -Name "mystorageaccount" -VirtualNetworkResourceId $subnetId

---

And this might be stating the obvious, but any IP range in the IP address whitelist only applies to the public endpoints of the storage account. Keep that in mind if you're trying to whitelist resources accross tenants or on-premise.