The following table provides a comprehensive list of error messages associated with AZURE_BLOB 32884 and AZURE_FILES 36983, including their underlying causes and the recommended resolutions.
Error Message | Cause of this issue | Resolution/Workaround |
“VNet not found” | This error can occur if The specified VNet entity could not be found in the topology | To resolve this error: Check if the Sync was triggered for the subscription and is SUCCESSFUL Check if VNet is deleted. |
"VNet is in different subscription (%s) than storage account (%s)." | This error can occur if the VNet is in a different subscription than the storage account (cross-subscription VNets). | Select a VNet configured in the same Azure subscription as your storage account. |
"VNet is in different region (%s) than storage account (%s)." | This error can occur if the VNet is in a different region than the storage account. | Select a VNet configured in the same region as your storage account. |
"Subnet name %s is reserved" | This error can occur if the selected subnet name is a reserved Azure subnet name (e.g., GatewaySubnet, AzureFirewallSubnet). |
|
"Microsoft.Storage service endpoint provisioning state is %s." | This error can occur if the provisioning state of the Microsoft.Storage service endpoint on the subnet is not "Succeeded." |
|
"Subnet has only %d available IPs. Use a larger subnet for better capacity." | This error can occur if the subnet has fewer IPs than MinAvailableIPsWarningThreshold (e.g., 10) | To resolve this error, use a subnet with higher capacity. |
"Selected VNet/subnet not found in storage account firewall rules." | This error can occur if the selected VNet/subnet is not present in the storage account's firewall rules. | To resolve this error, select the VNets which are allowed in the storage accounts. |
"Private endpoint connection state is %s. Approve the private endpoint connection in Azure portal." | This error can occur if the private endpoint connection state is not "Approved". |
|
“Cross-region private endpoint detected.” | This error can occur if the private endpoint's VNet is in a different region than the storage account (cross-region PE). |
|
"Private subnet. Attach a NAT Gateway for outbound connectivity." | This error can occur if the subnet is identified as a private subnet, and a NAT Gateway is not verified to be attached (warning for PE approach). |
|
"Private endpoint target sub-resource is '%s' but workload type is '%s'." | This error can occur if the private endpoint's target sub-resource does not match the expected sub-resource for the given workload type. | To resolve this error, select the correct private endpoint. |
Outbound traffic blocked by NSG. OUTBOUND CONNECTIVITY | This error can occur if the NSG has a security rule that explicitly denies outbound traffic to the "Internet" destination address prefix. | To resolve this error, reduce the priority of this rule and open port 443. |
Outbound traffic blocked by NSG. OUTBOUND CONNECTIVITY | This error can occur if the NSG has a security rule that denies all outbound traffic (* protocol, * port, * destination). | To resolve this error add exception to this rule by allowing port 443 traffic. |
Outbound traffic blocked by NSG. | This error can occur if the NSG allows outbound port 443 only to a specific Azure service tag (e.g., "Storage") but denies general Internet access. | Only restricted service are allowed to bypass the port 443. Ensure that you have allowed all the necessary URLs. Learn More. |
Outbound traffic blocked by NSG. | This error can occur if the NSG has a security rule that explicitly denies outbound TCP/443 traffic to the Internet or a wildcard destination. | To resolve this error, allow outbound access from Port 443. |
Azure Firewall '%s' detected in VNet. | This error can occur if an Azure Firewall is detected in the VNet, and its policy blocks outbound port 443. | To resolve this error remove port 443 from the block list of the firewall attached to the VNet. |
Hub firewall is blocking traffic. | This error can occur if Hub-spoke topology is detected, and the Azure Firewall in the hub VNet blocks outbound port 443. | To resolve this error, enable Port 443 in the Azure firewall. |
Private subnet without NAT Gateway. | This error can occur if the subnet is a private subnet and does not have a NAT Gateway attached, preventing outbound internet access. | To resolve this error, attach NAT Gateway to enable communication with Druva services. |
Subnet delegated to incompatible service. | This error can occur if the subnet is delegated to an incompatible service, preventing deployment of Druva Quantum Bridge VMs. | To resolve this error, select a different subnet. |
"NSG on subnet has outbound Deny rule (priority) blocking port 443. Druva Quantum Bridge VMs require outbound HTTPS (port 443). Add an Allow rule for port 443/TCP with higher priority. | This error can occur if outbound access from Port 443 is denied. | To resolve this error, remove Port 443 from the outbound deny rule. |
Network configuration issues caused due to outbound connectivity issues in Azure
In the following scenarios, Enterprise Workloads cannot reliably validate outbound connectivity during configuration. In these cases:
Configuration may proceed with a WARNING, or
Configuration may complete without detection, but connectivity validation fails, or
Configuration may be blocked (FAIL)
Use this section to identify and resolve the issue based on your network setup.
Before you begin
Ensure the following:
Outbound HTTPS (TCP 443) access is allowed to required Druva endpoints
If TLS/SSL inspection is enabled,
*.druva.comis excluded or trusted
Scenario 1 — Third-Party NVA Forced Tunneling
Applies when
Subnet routes
0.0.0.0/0to a Network Virtual Appliance (NVA)
Detection
Detected — WARNING emitted
Resolution
On the NVA policy engine:
Allow outbound HTTPS (TCP 443) to required endpoints
If TLS/SSL inspection is enabled:
Add
*.druva.comto bypass listOR install Druva certificate chain in trusted CA store
Verification
curl -v https://api.druva.com --max-time 10
Expected: HTTP 200 or 401
Scenario 2 — ExpressRoute / VPN Gateway Forced Tunneling
Applies when
Subnet routes
0.0.0.0/0to on-premises via VPN Gateway or ExpressRoute
Detection
Detected — WARNING emitted
Resolution
Option 1: Update on-prem firewall
Allow outbound HTTPS (TCP 443)
Source: Azure subnet IP range
Add
*.druva.comto TLS bypass list (if applicable)
Option 2: Split tunneling
Add UDR for Druva IP ranges
Next hop: Internet
Verification
Test-NetConnection api.druva.com -Port 443
Expected: TcpTestSucceeded: True
Scenario 3 — Azure Virtual WAN Secured Virtual Hub
Applies when
Spoke VNet connected to Virtual WAN hub with Azure Firewall
Detection
Detected — WARNING emitted
Resolution
Navigate to:
Azure Firewall Manager → Secured Virtual Hub → Firewall Policy
Create Application Rule:
Protocol: HTTPS (443)
Source: Spoke subnet
Target: required endpoints
Action: Allow
Priority: higher than deny rules
If forced tunneling to on-prem exists:
Complete Scenario 2
Verification
Use curl or Test-NetConnection
Scenario 4 — Custom DNS Server
Applies when
VNet uses custom DNS servers
Detection
NOT detected
Resolution
Configure DNS forwarder:
Windows DNS
Add forwarder:
168.63.129.16
BIND
forwarders { 168.63.129.16; };
forward only;Azure DNS Private Resolver
Forward
druva.com→168.63.129.16
Ensure NSG allows TCP/UDP 53 to
168.63.129.16
Alternative
Switch VNet DNS to Azure-provided
Verification
nslookup api.druva.com <dns-server-ip>
Expected: Public IP returned
Scenario 5 — Azure Virtual Network Manager (AVNM)
Applies when
Security Admin Rules are configured
Detection
NOT detected
Resolution
Identify Network Manager configuration
Review Security Admin Rules
Choose one:
Add rule with AlwaysAllow for required traffic
Remove VNet from deny rule scope
Add exception for subnet
Verification
curl -v --max-time 10 https://api.druva.com
Expected: HTTP 401
Scenario 6 — UDR with Next Hop "None"
Applies when
Route exists with
NextHopType: None
Detection
WARNING emitted (partially detected)
Resolution
Remove or update route
Options:
Attach NAT Gateway
Route via NVA or Azure Firewall
Add specific route for required endpoints → Internet
Verification
curl -v --max-time 10 https://api.druva.com
Scenario 7 — Private DNS Zone for druva.com
Applies when
Private DNS zone
druva.comis linked to VNet
Detection
NOT detected
Resolution
Check zones:
Get-AzPrivateDnsZone | Where-Object { $_.Name -match "druva" }Fix:
Remove incorrect VNet link
OR delete incorrect DNS records
Verification
nslookup api.druva.com
Expected: Public IP (not private range)
Scenario 8 — Cross-Subscription Hub-Spoke Topology
Applies when
Spoke and hub VNets are in different subscriptions
Detection
FAIL (configuration blocked)
Resolution
Choose one:
Use subnet with NAT Gateway for direct internet access
Deploy in hub subscription
Add UDR for required endpoints → Internet
Contact Druva support
Scenario 9 — Azure Firewall TLS Inspection
Applies when
TLS Inspection is enabled on Azure Firewall Premium
Detection
NOT detected
Resolution
Add
*.druva.comto TLS inspection bypass listAdd
*.amazonaws.comif required
Alternative
Use Network Rule (bypasses TLS inspection)
Verification
curl -v --max-time 10 https://api.druva.com
Expected: Certificate issuer is not firewall CA
Scenario 10 — Azure Firewall Premium Features
Applies when
IDPS, Threat Intelligence, or Web Categories are enabled
Detection
NOT detected
Resolution
IDPS
Add exclusion for required traffic
OR switch to Alert mode
Threat Intelligence
Allowlist required domains
Web Categories
Ensure category is not blocked
Add explicit allow rule
Scenario 11 — NIC-Level NSG Blocking
Applies when
NSG attached to VM NIC blocks outbound traffic
Detection
NOT detected
Resolution
Check NIC:
$nic = Get-AzNetworkInterface -Name "quantum-bridge-nic" -ResourceGroupName "druva-rg"
$nic.NetworkSecurityGroup
Ensure:
Outbound TCP 443 is allowed
If applied via policy:
Add exemption
OR update NSG rules