Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured

 When executing command :- 

az storage account network-rule add -g RGP-USE-AKS-DV  --account-name stouserakdv --vnet-name VNT-USE-AKS-DEV --subnet SUB-USE-AKS-DEV

Getting below error:-

 (NetworkAclsValidationFailure) Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets sub-use-aks-dev of virtual network /subscriptions/69b34dfc-4b97-4259-93f3-037ed7eec25e/resourceGroups/RGP-USE-AKS-DV/providers/Microsoft.Network/virtualNetworks/VNT-USE-AKS-DEV do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets..

Code: NetworkAclsValidationFailure

Message: Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets sub-use-aks-dev of virtual network /subscriptions/69b34dfc-4b97-4259-93f3-037ed7eec25e/resourceGroups/RGP-USE-AKS-DV/providers/Microsoft.Network/virtualNetworks/VNT-USE-AKS-DEV do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets..

Explain this error:- 

This error message is related to the configuration of Network Access Control Lists (NACLs) in Microsoft Azure. NACLs are used to control inbound and outbound network traffic to and from subnets in a virtual network.

The error message indicates that the validation of the NACL configuration has failed due to a missing configuration of Service Endpoints for Microsoft.Storage in the subnets with the name "sub-use-aks-dev" of the virtual network with the name "VNT-USE-AKS-DEV".

Service Endpoints provide secure and direct connectivity to Azure services over an Azure Virtual Network. In this case, Microsoft.Storage resources require the Service Endpoints for secure access to and from subnets. The error message suggests adding Microsoft.Storage to the subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets.

To resolve this error, you can follow the instructions provided in the error message and add the Microsoft.Storage Service Endpoint to the subnet's ServiceEndpoints collection by configuring it in the Azure portal or through Azure CLI. Once this configuration is complete, the NACLs can be updated to control inbound and outbound traffic for Microsoft.Storage resources on the subnets.

how to resolve

1.First, you need to identify the virtual network and subnet that are causing the error. You can use the following command to list all the subnets in the virtual network:

az network vnet subnet list --resource-group RGP-USE-AKS-DV  --vnet-name VNT-USE-AKS-DEV --output table

AddressPrefix    Name             PrivateEndpointNetworkPolicies    PrivateLinkServiceNetworkPolicies    ProvisioningState    ResourceGroup

---------------  ---------------  --------------------------------  -----------------------------------  -------------------  ---------------

10.20.0.0/24     SUB-USE-AKS-DEV  Disabled                          Enabled                              Succeeded            RGP-USE-AKS-DV

2.Once you have identified the subnet causing the error, you can use the following command to add the Microsoft.Storage Service Endpoint to the subnet's ServiceEndpoints collection:

az network vnet subnet update --name  SUB-USE-AKS-DEV --resource-group RGP-USE-AKS-DV --vnet-name VNT-USE-AKS-DEV --service-endpoints Microsoft.Storage

Then I executed below command and it has been executed successfully.

az storage account network-rule add -g RGP-USE-AKS-DV  --account-name stouserakdv --vnet-name VNT-USE-AKS-DEV --subnet SUB-USE-AKS-DEV