Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail

kollajagadeesh — Fri, 09 May 2025 14:14:37 GMT

Hello SAS Community,

I have deployed SAS Viya 4 on Azure Kubernetes Service (AKS) using the Microsoft Marketplace managed application, and I’ve run into some issues with networking and diagnostics while i try to mount the azure storage into SAS viya . I would appreciate any guidance or insight from those who’ve dealt with similar setups.

❗ Issue 1: VNet/Subnet Addition to Storage Account Fails

I'm trying to allow private access to the storage account by adding the sas-viya-btsm-vnet and its subnet under:

Azure Portal → Storage Account → Networking → Firewalls and Virtual Networks

But I encounter an error with this message:

Failed to enable service endpoints for 1 out of 1 virtual network(s). The client '*************' with object id '9a83f34e-04fb-44ff-9bb1-15f69a6d2532' has permission to perform action 'Microsoft.Network/virtualNetworks/write' on scope '/subscriptions/b13401f4-1d8f-4ae1-ab8a-9ddd1bed0b92/resourceGroups/mrg-sas-viya-on-azure-20250428101250/providers/Microsoft.Network/virtualNetworks/sas-viya-btsm-vnet'; however, it does not have permission to perform action 'Microsoft.Network/networkSecurityGroups/join/action' on the '0' linked scope(s) '' or the linked scope(s) are invalid and is blocked by deny assignments on the '1' linked scope(s) '/subscriptions/b13401f4-1d8f-4ae1-ab8a-9ddd1bed0b92/resourceGroups/mrg-sas-viya-on-azure-20250428101250/providers/Microsoft.Network/networkSecurityGroups/sas-viya-btsm-nsg'.

I suspect this is due to RBAC or deny assignments placed by the managed application.

🧪 What I've Tried:

Confirmed that the AKS cluster is deployed into a private VNet using Azure CNI.
Verified NSG and Azure Firewall rules.
Checked IAM roles assigned to my user and managed identities.
Ran the get_k8s_info.sh script (output available).
Tried using the Azure CLI and Run Command feature (note: Run Command does not support --watch or real-time monitoring).

📦 Environment Details:

SAS Viya Version: Stable 2025.03
Deployment Type: Azure Marketplace – SAS Viya Managed App
Cluster Type: Private AKS cluster with restricted egress
Storage Account Access: Using Private Endpoint, attempting to allow trusted subnet
RBAC: Likely controlled by managed app,

🧾 What I Need Help With:

How can I grant the correct permissions to allow subnet access to the Storage Account without violating the managed application’s security model?
Is there a Microsoft-approved workaround for private traffic access in a SAS Viya managed app?
If anyone successfully added the VNet to the storage account, could you share how you elevated permissions (via Azure RBAC, custom role, etc.)?

Any help or experience shared would be greatly appreciated. Thank you!

– Jagadeesh Kolla

Re: Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail

cj_blake — Fri, 16 May 2025 18:32:34 GMT

@kollajagadeesh you're right, the current set of allowed actions do not include Microsoft.Network/networkSecurityGroups/join/action which is required to do what you're looking to do.

I am going to check with a couple of colleagues what we think the best course of action should be.

topic Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail in SAS Viya on Microsoft Azure

Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail

Re: Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail