cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
kollajagadeesh
Calcite | Level 5 kollajagadeesh
Calcite | Level 5

Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail

Posted 2 weeks ago (532 views)

 

Hello SAS Community,

I have deployed  SAS Viya 4 on Azure Kubernetes Service (AKS) using the Microsoft Marketplace managed application, and I’ve run into some issues with networking and diagnostics while i try to mount the azure storage into SAS viya  . I would appreciate any guidance or insight from those who’ve dealt with similar setups.

Issue 1: VNet/Subnet Addition to Storage Account Fails

I'm trying to allow private access to the storage account by adding the sas-viya-btsm-vnet and its subnet under:

Azure Portal → Storage Account → Networking → Firewalls and Virtual Networks

But I encounter an error with this message:

 Failed to enable service endpoints for 1 out of 1 virtual network(s). The client '*************' with object id '9a83f34e-04fb-44ff-9bb1-15f69a6d2532' has permission to perform action 'Microsoft.Network/virtualNetworks/write' on scope '/subscriptions/b13401f4-1d8f-4ae1-ab8a-9ddd1bed0b92/resourceGroups/mrg-sas-viya-on-azure-20250428101250/providers/Microsoft.Network/virtualNetworks/sas-viya-btsm-vnet'; however, it does not have permission to perform action 'Microsoft.Network/networkSecurityGroups/join/action' on the '0' linked scope(s) '' or the linked scope(s) are invalid and is blocked by deny assignments on the '1' linked scope(s) '/subscriptions/b13401f4-1d8f-4ae1-ab8a-9ddd1bed0b92/resourceGroups/mrg-sas-viya-on-azure-20250428101250/providers/Microsoft.Network/networkSecurityGroups/sas-viya-btsm-nsg'.

I suspect this is due to RBAC or deny assignments placed by the managed application.

🧪 What I've Tried:

  • Confirmed that the AKS cluster is deployed into a private VNet using Azure CNI.

  • Verified NSG and Azure Firewall rules.

  • Checked IAM roles assigned to my user and managed identities.

  • Ran the get_k8s_info.sh script (output available).

  • Tried using the Azure CLI and Run Command feature (note: Run Command does not support --watch or real-time monitoring).

📦 Environment Details:

  • SAS Viya Version: Stable 2025.03

  • Deployment Type: Azure Marketplace – SAS Viya Managed App

  • Cluster Type: Private AKS cluster with restricted egress

  • Storage Account Access: Using Private Endpoint, attempting to allow trusted subnet

  • RBAC: Likely controlled by managed app,

🧾 What I Need Help With:

  1. How can I grant the correct permissions to allow subnet access to the Storage Account without violating the managed application’s security model?

  2. Is there a Microsoft-approved workaround for private traffic access in a SAS Viya managed app?

  3. If anyone successfully added the VNet to the storage account, could you share how you elevated permissions (via Azure RBAC, custom role, etc.)?

Any help or experience shared would be greatly appreciated. Thank you!

– Jagadeesh Kolla

0 Likes
Reply
1 REPLY 1
cj_blake
SAS Employee cj_blake
SAS Employee

Re: Cannot Add VNet/Subnet to Azure Storage Firewall for SAS Viya (AKS) – AuthorizationFail

Posted Friday (44 views)  |   In reply to kollajagadeesh

@kollajagadeesh you're right, the current set of allowed actions do not include Microsoft.Network/networkSecurityGroups/join/action which is required to do what you're looking to do.

 

I am going to check with a couple of colleagues what we think the best course of action should be.

0 Likes
Reply

sas-innovate-white.png

Missed SAS Innovate in Orlando?

Catch the best of SAS Innovate 2025 — anytime, anywhere. Stream powerful keynotes, real-world demos, and game-changing insights from the world’s leading data and AI minds.

 

Register now

Discussion stats
  • 1 reply
  • 2 weeks ago
  • 533 views
  • 0 likes
  • 2 in conversation