![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 68%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC3%3C/text%3E%3C/svg%3E)
Azure Backup
An Azure backup service that provides built-in management at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Hello cobralin-3015, We understand that you are facing access when doing a file-level restore over private endpoints. Even though you’ve locked down public access and spun up private endpoints on both the storage account and the vault.
It seems the restore fails because:
- DNS resolution is not correctly mapping the private endpoint IPs to the required private FQDNs.
- Without proper DNS, the extension cannot reach the Backup Vault or storage account over private endpoints.
- Since public access is denied, the fallback path is blocked.
- This is why browsing during file-level restore fails, even though endpoints exist.
The restore failure typically occurs because the storage account is accessible only through private endpoints, but DNS resolution is not correctly directing traffic to the private endpoint.
To resolve this:
- Verify DNS Resolution: Run this command
nslookup <storageaccount>.file.core.windows.netThe result must resolve to the private IP of the storage account private endpoint. - Configure Private DNS Zone : Ensure the following zone exists:
privatelink.file.core.windows.netVerify:- The zone is linked to the correct VNet
- A record exists: <storageaccount> > private endpoint IP
- Check DNS Configuration: If using custom DNS servers, configure Conditional forwarders or manual DNS records. so the storage endpoint resolves to the private IP.
- Firewall Rules: Firewall rules do not apply to private endpoint traffic. They only affect public endpoint access, which is disabled in this scenario.
- RBAC Permissions: Ensure the restoring user has Backup Contributor or Backup Operator roles on the Backup Vault.
- Fallback Option: If file browsing still fails, restore the entire file share to an alternate location, mount the share, and manually copy the required files.
Hope this helps. and please feel free to reach out if you have any further questions. Thanks
Reference document:
Recover data from an Azure Backup Server by using Azure Backup - Azure Backup | Microsoft Learn
Create and use private endpoints for Azure Backup - Azure Backup | Microsoft Learn
Troubleshoot Azure Files backup - Azure Backup | Microsoft Learn