Share via

Network Security Perimeter in Transition mode is blocking some inbound traffic for resource in westus3

Aliya Ismagilova 20 Reputation points Microsoft Employee
2026-04-14T20:01:07.2433333+00:00

When running a pipeline to publish to azure storage account (PaaS) blob within a network security perimeter we get the following error:

ERROR:  The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'. If you want to change the default action to apply when no rule matches, please use 'az storage account update'.

 

The network security perimeter is in transition mode with inbound ip rules. The same network security perimeter configuration with identical inbound ip rules apply to a different network security perimeter which guards a separate storage account that the same pipeline is able to successfully access with no errors. The only difference between the storage accounts is the succeeding one is in westus2, the failing in westus3.

To mitigate, we switched the NSP for the failing storage to publicnetworkaccess = enabled. Both storage accounts were previously set to SecuredByPerimeter. This worked to upload to westus3, but we recognise this is not a long term secure solution.

 

This should not be happening because this network security perimeter is in learning mode. To mitigate this, we switched the storage account public network access to Enabled (was Secured By Perimeter) but we recognise this is not a long term secure solution.

Both network security perimeters have identical config, transition mode, including the profile which the storage accounts are associated with. all inbound ip rules are identical and both storage accounts are attempted to be accessed by the same pipeline.

The only difference between the storage accounts is that the one for which secured by perimeter is blocking is in west us 3 (the other is in west us 2).

We are unsure whether the problem lies with the network configuration of the storage accounts or the Network Security Perimeter blocking calls in Transition mode.

Azure Private Link
Azure Private Link

An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.

0 comments

Answer accepted by question author

  1. Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator
    2026-04-14T20:19:59.13+00:00

    Hi @Aliya Ismagilova,

    Welcome to Microsoft Q&A Platform.

    As discussed offline, the build pool accessing the storage account is located in the same region. In this scenario, traffic uses service endpoints and does not include a source IP, which is causing the issue.

    Kindly follow the steps below to review the NSP logs

    User's image

    Please check Source IP , if the address or range is not added in NSP Inbound Rule, Please add the same IP or Range and check the result.

    If logs are not enabled, please navigate to NSP → Diagnostic settings, enable the logs, wait for about 10 minutes, and then try accessing the storage account.

    User's image

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-14T20:01:34.4633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In transition mode, Network Security Perimeter (NSP) evaluates NSP rules first and only falls back to the storage account firewall if no NSP rule matches. When a storage account is set to Secured by Perimeter, all public traffic must pass NSP evaluation; the storage account’s own Allowed networks settings are effectively bypassed when the association is in enforced mode and largely subordinated when secured-by-perimeter is used.

    Key points from the platform behavior:

    1. Transition mode behavior
      • Transition mode uses the NSP configuration as the baseline. If no NSP rule matches, evaluation falls back to the resource firewall configuration, which can then approve access with existing settings.
      • However, when a storage account is configured as Secured by Perimeter, traffic is forced through NSP evaluation and public network access is blocked unless allowed by NSP rules.
      • For storage accounts associated with an NSP, the perimeter’s access rules override the account’s own firewall settings as the top‑level gatekeeper. Removing or relaxing the perimeter (for example, switching public network access to Enabled) returns control to the storage account firewall.
    2. Why westus2 works but westus3 fails From the described behavior and the documented precedence rules:
      • Both storage accounts are in transition mode and associated with the same profile and identical inbound IP rules.
      • The westus2 account is accessible, which indicates that:
        • The pipeline’s source IPs are correctly covered by the NSP inbound IP rules and/or
        • The combination of NSP + storage firewall is allowing the traffic.
      • The westus3 account fails when Secured by Perimeter is set, but succeeds when public network access is set to Enabled. This indicates that:
        • The storage account firewall itself is capable of allowing the traffic (as shown when public network access is Enabled), but
        • The NSP evaluation path for the westus3 account is blocking or not matching the traffic when Secured by Perimeter is applied.
      • Because NSP rules override the storage account firewall, any mismatch, missing IP, or region‑specific behavior in NSP will cause the request to be blocked, even in transition mode, when the account is effectively forced to rely on NSP.
    3. Likely cause Based on the documented behavior, the issue is more likely with NSP evaluation for the westus3 storage account than with the storage account’s own network configuration:
      • In transition mode, NSP rules are still evaluated first. If the storage account is Secured by Perimeter, public traffic is evaluated against NSP rules and blocked if not explicitly allowed.
      • The fact that switching to publicnetworkaccess = Enabled immediately resolves the issue indicates that the storage account firewall is correctly configured and that the blocking happens at the NSP layer.
    4. Recommended troubleshooting and mitigation steps
      1. Verify NSP association and access mode on the westus3 account
        • In the Azure portal, open the westus3 storage account → Security + networkingNetworking.
        • Confirm that:
          • The storage account is associated with the expected NSP profile.
          • The association shows Transition mode, not Enforced.
      2. Compare NSP rules actually applied to each storage account
        • In the NSP resource, go to Associated resources and confirm that both storage accounts are associated with the same profile and that the same inbound IP rules are present.
        • Confirm there are no region‑specific or resource‑specific rules that differ between westus2 and westus3.
      3. Enable and review NSP diagnostic logs
        • For the westus3 storage account, configure diagnostic settings:
          • Go to MonitoringDiagnostic settings.
          • Add a diagnostic setting and enable StorageRead and StorageWrite logs.
          • Send logs to a Log Analytics workspace or storage account.
        • Use these logs to see whether access attempts from the pipeline are:
          • Matched and allowed by an NSP rule, or
          • Falling back to the resource firewall, or
          • Explicitly denied by NSP.
        • In transition mode, logs indicate whether each request was allowed by an NSP rule or fell back to the resource firewall, which will pinpoint where the westus3 traffic is being blocked.
      4. Confirm IP coverage and source patterns
        • Ensure the pipeline’s effective outbound IPs (including any NAT, proxy, or regional differences) are included in the NSP inbound IP rules.
        • Even if the rules appear identical, the effective source IPs for westus3 traffic might differ from westus2 due to regional infrastructure or routing.
      5. Use Private Link where possible
        • Private endpoint traffic is considered highly secure and is not subject to NSP rules; inbound Private Link traffic is always accepted regardless of NSP configuration.
        • For long‑term secure access, consider using Private Link from the pipeline’s execution environment to the storage accounts, which bypasses NSP public inbound evaluation.
      6. After validation, re‑secure the account
        • Once NSP rules and IP coverage are validated via logs and tests, switch the westus3 storage account back to Secured by Perimeter and re‑test.
        • If issues persist, keep diagnostic logging enabled and use the NSP logs to identify any remaining rule mismatches.

    In summary, the behavior is consistent with NSP rules taking precedence over the storage account firewall when the account is Secured by Perimeter. The successful behavior when publicnetworkaccess = Enabled shows the storage firewall is correct; the blocking is occurring at the NSP layer for the westus3 account and should be investigated via NSP association, rules, and diagnostic logs.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.