Unable to use Azure storage account with firewall to import repository data #1431
Description
Description
I'm using an Azure storage account to store the repository data that I'm migrating, and I've been asked to restrict public network access to this storage account. After adding the GEI Azure subnets as described in this section, bbs2gh failed to import the repository with the following error:
[2025-09-19 18:55:11] [DEBUG] RESPONSE (OK): {"data":{"node":{"id":"RM_kgDaACRmMWUzMzk5OC0yOTdhLTQxN2UtYWJhZS1lZjQ2NWMxOTMyYzE","sourceUrl":"https://stash.acme.com/projects/AB/repos/xyz/browse","migrationLogUrl":"","migrationSource":{"name":"Bitbucket Server Source"},"state":"FAILED","warningsCount":0,"failureReason":"Git archive URL returned a HTTP 403 response. Please make sure that the URL is valid and that the file is accessible","repositoryName":"ab-xyz"}}}
Error: 9-19 18:55:11] [ERROR] Migration Failed. Migration ID: RM_kgDaACRmMWUzMzk5OC0yOTdhLTQxN2UtYWJhZS1lZjQ2NWMxOTMyYzE
[2025-09-19 18:55:11] [INFO] Migration log available at or by running `gh bbs2gh download-logs --github-org acme --github-repo ab-xyz`
Error: 9-19 18:55:11] [ERROR] OctoshiftCLI.OctoshiftCliException: Git archive URL returned a HTTP 403 response. Please make sure that the URL is valid and that the file is accessible
at OctoshiftCLI.BbsToGithub.Commands.MigrateRepo.MigrateRepoCommandHandler.ImportArchive(MigrateRepoCommandArgs args, String migrationSourceId, String archiveUrl)
at OctoshiftCLI.BbsToGithub.Commands.MigrateRepo.MigrateRepoCommandHandler.Handle(MigrateRepoCommandArgs args)
at OctoshiftCLI.Extensions.CommandExtensions.RunHandler[TArgs,THandler](TArgs args, ServiceProvider sp, CommandBase`2 command)
at OctoshiftCLI.Extensions.CommandExtensions.<>c__DisplayClass1_0`3.<<ConfigureCommand>b__0>d.MoveNext()
In the Azure portal, I noticed that the Service Endpoint column shows Unauthorized which makes me wonder whether the subnets I added have the Microsoft.Storage service endpoint enabled and whether these subnets are still valid and if the documentation is up to date:
Can someone please help me understand what I'm missing?
Reproduction Steps
Run the bbs2gh using an Azure storage account to store and expose the repository data to GEI. This storage account must has the default action set to deny the public network access in the network rules and the GEI subnets added to the whitelist as described in this section here