VPN Gateway Packet Capture With Private Endpoint Storage Account

1. Layout

A resource group was created with the following:

2. Outline

I was able to successfully demonstrate a VPN Gateway Packet Capture with a storage account that has public access disabled only allowing connectivity through a private endpoint. I provisioned the bare minimum resources in order to achieve an example. Depending on the Azure Policies and governance in place you’ll want to make sure that the storage account allows for the generation for shared access keys. One important piece to note is that the VPN Gateway Packet Capture requires a Shared Access Token on a specific container, and not the storage account’s Shared Access Signature.

In my case, I created a Virtual Network Gateway, with a simple Point to Site VPN. I connected to my Virtual Network using the Azure VPN Client. Here are the steps I took:

Here I successfully demonstrated that a VPN Gateway Packet Capture can be done with private connectivity. The only caveat is that a Shared Access Token must be created. Microsoft’s official recommendation is to use Managed Identities instead of Shared Key authorization. However, there is no way to use a managed identity to generate a VPN Gateway Packet Capture at the time of this writing.

Architecture

Storage account public network access disabled

Allow storage account key access

Generate shared access token

Start stop packet capture

CLI showing packet capture

Code will be coming soon!