Share via

Error using StorageSasUrl parameter in Get-AzVirtualWanVpnConfiguration command

McDonald, Matthew 246 Reputation points
2025-05-19T20:11:55.2966667+00:00

An issue is occurring when attempting to export VPN information from an Azure Virtual WAN using the PowerShell command Get-AzVirtualWanVpnConfiguration. The command is executed with the parameters VirtualWan, StorageSasUrl, and VpnSite.

A storage account has been created with a container named vpnconfig, and a SAS URL for that container was generated. However, the command fails with a signature mismatch error, indicating that it seems to be trying to access the $root rather than the specified container.

ChatGPT suggests that the problem might be due to the URL missing the restype=container&comp=list parameters, which causes the command to default to $root. However, adding those parameters results in a different error about the HTTP verb not being supported, to which ChatGPT indicates is due to comp=list only denoting a list action, so PUTs are not allowed. It then suggests removing what was just added.

The PowerShell commands executed are as follows:

C:\> $storageSasURL =  "https://stewsziatesteus2001.blob.core.windows.net/vpnconfig?sv=2023-08-03&se=2025-05-19T21%3A08%3A56Z&sr=c&sp=racwdl&sig=<redactedForSecurity>"  

C:\> Get-AzVirtualWanVpnConfiguration -VirtualWan $vwan -StorageSasUrl $storageSasUrl -VpnSite $vpnSite

Get-AzVirtualWanVpnConfiguration: Long running operation failed with status 'BadGateway'. 
StatusCode: 502  
ReasonPhrase: Forbidden  
ErrorCode: CannotWriteContentUsingSasUrlRedacted  
ErrorMessage: Error occurred while attempting to write storage data. 
Error: 'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.  
RequestId:d88b9ab7-801e-0042-30f1-c8327b000000  
Time:2025-05-19T19:11:57.0243285Z  
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)  
ErrorCode: AuthenticationFailed

When restype=container&comp=list was added, the following command was executed:

C:\> $storageSasUrlExtra = $storageSasUrl + "&restype=container&comp=list"
C:\> Get-AzVirtualWanVpnConfiguration -VirtualWan $vwan -StorageSasUrl $storageSasUrlExtra -VpnSite $vpnSite 

Get-AzVirtualWanVpnConfiguration: Long running operation failed with status 'BadGateway'. 
StatusCode: 502 
ReasonPhrase: Forbidden 
ErrorCode: CannotWriteContentUsingSasUrlRedacted 
ErrorMessage: Error occurred while attempting to write storage data. 
Error: 'The resource doesn't support specified Http Verb. 
RequestId:01ba656e-501e-000c-11f4-c81cf3000000 Time:2025-05-19T19:32:05.3644955Z 
Status: 405 (The resource doesn't support specified Http Verb.) 
ErrorCode: UnsupportedHttpVerb

I'm not sure how to proceed to make this vpn export successful.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
Accepted answer
  1. Praveen Bandaru 7,160 Reputation points Microsoft External Staff Moderator
    2025-05-19T21:31:32.53+00:00

    Hello McDonald, Matthew
    Greetings!
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

    Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

    Issue: Error using StorageSasUrl parameter in Get-AzVirtualWanVpnConfiguration command

    Resolution:
    The Get-AzVirtualWanVpnConfiguration seemingly needs the SAS URL to contain the filename to be written, which is not included by default when creating the SAS in the portal nor is it specified in the cmdlet. I guess that makes sense.

    I had to modify the SAS URL to add a "/" after vpnconfig and add a file name before ?sv=.

    It is now $storageSasURL = "https://stewsziatesteus2001.blob.core.windows.net/vpnconfig/vpnexport.config?sv=2023-08-03&se=2025-05-19T21%3A08%3A56Z&sr=c&sp=racwdl&sig=<redactedForSecurity>"

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           

    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suwarna S Kale 3,951 Reputation points
    2025-05-19T20:44:58.5033333+00:00

    Hello McDonald, Matthew,

    Thank you for posting your question in the Microsoft Q&A forum. 

    The authentication and HTTP verb errors you're encountering with Get-AzVirtualWanVpnConfiguration stem from SAS URL misconfiguration or insufficient permissions for the Azure Virtual WAN service to write to your storage container. The initial 403 AuthenticationFailed error suggests the SAS token lacks write (w) permissions or is improperly formatted, while the subsequent 405 UnsupportedHttpVerb occurs when appending restype=container&comp=list, a combination meant for read-only listing operations. 

    To resolve this, you may try below steps: 

    • Regenerate the SAS token with all necessary permissions (racwdl for read, add, create, write, delete, list) and ensure it’s scoped to the container (not the storage account root). 
    • Verify the SAS URL syntax: The URL should target the container directly (e.g., https://storagename.blob.core.windows.net/vpnconfig?sv=...), with no conflicting query parameters. 
    • Check network restrictions: Ensure the storage account allows access from Azure Virtual WAN’s service IPs (disable firewall temporarily for testing). 
    • Test the SAS URL manually via az storage blob upload to confirm write permissions. 

    If issues persist, use Azure Storage Explorer to generate a compliant SAS token or switch to storage account keys temporarily. For deeper diagnostics, review Storage Account logs in Azure Monitor. 

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.