Merge pull request #9836 from normesta/normesta-reg-updates-1

ryanberg-aquent · web-flow · commit 0479156f81a2 · 2025-10-13T05:17:44.000-10:00
AB#7777: Driving visibility into the new 403 errors article
diff --git a/support/azure/azure-storage/blobs/connectivity/storage-use-azcopy-troubleshoot.md b/support/azure/azure-storage/blobs/connectivity/storage-use-azcopy-troubleshoot.md
@@ -2,7 +2,7 @@
 title: Troubleshoot issues in AzCopy (Azure Storage)
 description: Understand how to apply workarounds for common Azure Storage issues that occur in AzCopy version 10.
 ms.service: azure-storage
-ms.date: 05/08/2024
+ms.date: 10/06/2025
 editor: v-jsitser
 ms.reviewer: abail, broder, schoag, dafalkne, shaas, raharina, normesta, azuresamfilesmigcic, azurestocic, v-weizhu, v-leedennis
 ms.custom: sap:Connectivity
@@ -29,6 +29,8 @@ Any other nonzero exit code (such as `OOMKilled`) might be generated by the syst
 
 In some cases, "403" errors can cause a failed transfer. If this issue occurs, other attempts to transfer files are likely to fail until you resolve the issue. "403" errors can be caused by authentication and authorization issues. They can also occur if requests are blocked by the storage account firewall configuration.
 
+This section covers a few common causes for 403 errors. For a comprehensive troubleshooting guide, see [Troubleshoot 403 errors](../authentication/storage-troubleshoot-403-errors.md). 
+
 ### Authentication and authorization issues
 
 "403" errors that prevent data transfer occur because of issues that involve SAS tokens, role-based access control (Azure RBAC) roles, and access control list (ACL) configurations.
@@ -43,6 +45,8 @@ If you use a shared access signature (SAS) token, make sure that the following s
 
 - You generated the token by using an official SDK or tool. Try Storage Explorer if you haven't already.
 
+For a complete checklist of SAS issues that can cause 403 errors, see [SAS tokens](../authentication/storage-troubleshoot-403-errors.md#sas-tokens).
+
 #### Azure RBAC
 
 If you use Azure RBAC roles through the `azcopy login` command, verify that you have the appropriate Azure roles assigned to your identity (for example, the Storage Blob Data Contributor role).
@@ -78,19 +82,21 @@ For more information about this property and its associated configuration settin
 
 #### Transfer data from or to a local hosting component
 
-If you're uploading or downloading data between a storage account and an on-premises hosting component, make sure that the hosting component that runs AzCopy can access either the source or destination storage account. You might have to use IP network rules in the firewall settings of either the source or destination accounts to allow access from the public IP address of the hosting component.
+If you're uploading or downloading data between a storage account and an on-premises hosting component, make sure that the hosting component that runs AzCopy can access either the source or destination storage account. You might have to use IP network rules in the firewall settings of either the source or destination accounts to allow access from the public IP address of the hosting component. For a checklist of common causes, see [Public network endpoint](../authentication//storage-troubleshoot-403-errors.md#public-network-endpoint).
 
 #### Transfer data between storage accounts
 
 "403" authorization errors can prevent you from transferring data between accounts by using the client hosting component on which AzCopy is running.
 
-If you're copying data between storage accounts, make sure that the hosting component that runs AzCopy can access both the source and the destination account. You might have to use IP network rules in the firewall settings of both the source and destination accounts to allow access from the public IP address of the hosting component. The service uses the IP address of the AzCopy client hosting component to authorize the source to destination traffic. To learn how to add a public IP address to the firewall settings of a storage account, see [Grant access from an internet IP range](/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range).
+If you're copying data between storage accounts, make sure that the hosting component that runs AzCopy can access both the source and the destination account. You might have to use IP network rules in the firewall settings of both the source and destination accounts to allow access from the public IP address of the hosting component. The service uses the IP address of the AzCopy client hosting component to authorize the source to destination traffic. To learn how to add a public IP address to the firewall settings of a storage account, see [Grant access from an internet IP range](/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range). 
+
+For a checklist of other issues to consider, see [Public network endpoint](../authentication//storage-troubleshoot-403-errors.md#public-network-endpoint).
 
 In case your VM doesn't or can't have a public IP address, consider using a private endpoint. See [Use private endpoints for Azure Storage](/azure/storage/common/storage-private-endpoints).
 
 #### Use Private Link
 
-[Private Link](/azure/private-link/private-link-overview) is at the virtual network/subnet level. If you want AzCopy requests to go through Private Link, then AzCopy must make those requests from a VM that's running in that virtual network/subnet. For example, suppose that you configure Private Link in VNet1/Subnet1, but the VM on which AzCopy runs is in VNet1/Subnet2. In this scenario, AzCopy requests don't use Private Link, and the requests are expected to fail.
+[Private Link](/azure/private-link/private-link-overview) is at the virtual network/subnet level. If you want AzCopy requests to go through Private Link, then AzCopy must make those requests from a VM that's running in that virtual network/subnet. For example, suppose that you configure Private Link in VNet1/Subnet1, but the VM on which AzCopy runs is in VNet1/Subnet2. In this scenario, AzCopy requests don't use Private Link, and the requests are expected to fail. For a checklist of other issues to consider, see [Private endpoints](../authentication/storage-troubleshoot-403-errors.md#private-endpoints).
 
 ## Proxy-related errors
 
@@ -163,5 +169,6 @@ If you're copying data between accounts by using AzCopy, the quality and reliabi
 
 - [Get started with AzCopy](/azure/storage/common/storage-use-azcopy-v10)
 - [Find errors and resume jobs by using log and plan files in AzCopy](/azure/storage/common/storage-use-azcopy-configure)
+- [Troubleshoot 403 errors](../authentication/storage-troubleshoot-403-errors.md)
 
 [!INCLUDE [Azure Help Support](../../../../includes/azure-help-support.md)]
