I am trying to redeploy an Azure Cloud Service (classic) to an "extended support" one since the former is being deprecated. Following this guide and the prerequisites I have created a virtual network and new storage account. I set up a bunch of permissions and the Connectivity Check for my storage account indicates no problems. However when I try to create and deploy a new Cloud Service (Extended Support) using my (updated) .cscfg, .csdef and .cspkg files I get this error:

Error:AuthorizationFailure, message:This request is not authorized to perform this operation. (Code: PackageUriForbidden)

I've tried setting the container and blob access to public for the deploy files, I have added Network Contributor and Storage Blob Data Contributor to both the subscription and the cloud storage resources for my user account. What am I missing?

CodePudding user response：

I tried deploying cloud services extended support via Azure Portal and it got deployed successfully.
Refer below :-

I have uploaded all my cloud services packages in my storage account and used those packages from my storage blobs and created the Cloud service ES instance.

I enabled connection from all networks for my storage account, Thus I did not receive any authorization error :-

It looks like your Storage account has Firewall and V-Net enabled for the selected Networks. Or There’s an IP Address added to restrict storage account.

I created a Create a Service endpoint in my V-Net to allow Microsoft.storage like below :-

Added this V-Net in the selected Networks in Storage account’s Firewall :-

Checked this in order to allow azure services to access storage account like below :-

Now, when I try to deploy another cloud service with the same storage account having firewall and V-Net enabled, I get the same error as yours refer below :-

I allowed my client machine’s IP in the storage account and was able to add the packages without any error while deploying the Cloud Service:-