Blobfuse2 endpoint (blobfuse2.z13.web.core.windows.net) not documented – Observed when deploying AKS PV with Azure Firewall

[Lddeiva]

When creating a Persistent Volume using Blobfuse on AKS, it establishes HTTPS communication with blobfuse2.z13.web.core.windows.net. This behavior was confirmed during testing with Azure Firewall. However, this endpoint is not mentioned in the official documentation. Please confirm if this URL is valid and update the documentation accordingly.

# StorageClass
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
  name: azureblob-fuse-premium
mountOptions:
- -o allow_other
- --file-cache-timeout-in-seconds=120
- --use-attr-cache=true
- --cancel-list-on-mount-seconds=10
- -o attr_timeout=120
- -o entry_timeout=120
- -o negative_timeout=120
- --log-level=LOG_WARNING
- --cache-size-mb=1000
parameters:
  skuName: Premium_LRS
provisioner: blob.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: Immediate

# PersistentVolume
apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: blob.csi.azure.com
  name: pv-blob
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 128Gi
  csi:
    driver: blob.csi.azure.com
    nodeStageSecretRef:
      name: secrets
      namespace: dev
    volumeAttributes:
      containerName: <containerName>
      resourceGroup: <resourceGroupName>
      storageAccount: <storageAccountName>
    volumeHandle: pv-blob-volume-id
  mountOptions:
  - -o allow_other
  - --file-cache-timeout-in-seconds=120
  - --use-attr-cache=true
  - --cancel-list-on-mount-seconds=10
  - -o attr_timeout=120
  - -o entry_timeout=120
  - -o negative_timeout=120
  - --log-level=LOG_WARNING
  - --cache-size-mb=1000
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azureblob-fuse-premium
  volumeMode: Filesystem

# PersistentVolumeClaim
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pv-blob-pvc
  namespace: dev
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 128Gi
  storageClassName: azureblob-fuse-premium
  volumeMode: Filesystem
  volumeName: pv-blob

References

1. https://learn.microsoft.com/en-us/azure/aks/azure-csi-blob-storage-provision?tabs=mount-nfs%2Csecret&source=docs
2. https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress?source=docs

[vibhansa-msft]

This endpoint is used just to validate whether you are using the latest version or blobfuse or not. This is checked only once when you mount, and connection can be disabled by disabling the version check. Even if the connection does not go through, it does not create any issue in your mount, neither does it complain about anything. This is a silent background check for version. Do you see any issue with this ?

[Lddeiva]

This endpoint is used just to validate whether you are using the latest version or blobfuse or not. This is checked only once when you mount, and connection can be disabled by disabling the version check. Even if the connection does not go through, it does not create any issue in your mount, neither does it complain about anything. This is a silent background check for version. Do you see any issue with this ?

@vibhansa-msft , There are no issues with the behavior itself, but it would be helpful to have this documented to provide clarity, address customer concerns, and facilitate coordination with security teams.

[vibhansa-msft]

@tjvishnu Blobfuse checks for latest version on the mentioned endpoint. We might need to update our documentation regarding the same.