Azure Storage Networking: Private Endpoint

This document outlines how to use private endpoints with Azure Storage accounts to enhance security and control network access.

What is a Private Endpoint?

A private endpoint is a network interface that connects you privately and securely to a Platform as a Service (PaaS) offering in Azure. It uses a private IP address from your virtual network, effectively bringing the Azure service into your virtual network.

This is particularly useful for Azure Storage to:

Ensure data stays within your virtual network.
Prevent data exfiltration.
Isolate storage accounts from public internet access.

Prerequisites

An Azure Storage account.
An Azure virtual network (VNet) and subnet.
Permissions to create network resources and storage accounts.

Creating a Private Endpoint for Azure Storage

Using the Azure Portal

Navigate to your Storage Account in the Azure portal.
Under Settings, select Networking.
Choose the Private endpoint connections tab.
Click + Private endpoint.
Basics Tab:

Select your Subscription and Resource group.
Provide a Name for your private endpoint.
Choose a Region.

Resource Tab:

Connection method: Select 'Connect to an Azure resource in my directory' or 'Connect to an Azure resource by resource ID or alias'.
Subscription: Select the subscription containing your storage account.
Resource type: Select 'Microsoft.Storage/storageAccounts'.
Instance: Select your storage account.
Target sub-resource: Choose the service you want to connect to (e.g., 'blob', 'file', 'queue', 'table').

Configuration Tab:

Virtual network: Select your VNet.
Subnet: Select the subnet within your VNet.
Integrate with private DNS zone: For seamless name resolution, it's recommended to enable this. Azure will typically create a private DNS zone for the storage account.

Tags Tab: Optionally add tags.
Click Review + create, then Create.

Using Azure CLI

Replace placeholders with your actual values.

az network private-endpoint create \
    --name MyPrivateEndpoint \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --subnet MySubnet \
    --private-connection-resource-id "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MY_STORAGE_RG/providers/Microsoft.Storage/storageAccounts/MY_STORAGE_ACCOUNT" \
    --group-ids blob \
    --location westus2 \
    --connection-name MyStorageConnection
            

For DNS integration, you would typically create a private DNS zone and link it to your VNet, then create an A record pointing to the private endpoint's IP. For example:

# Example for blob service DNS
az network private-dns zone create \
    --resource-group MyResourceGroup \
    --name "privatelink.blob.core.windows.net"

az network private-dns link vnet create \
    --resource-group MyResourceGroup \
    --name MyDnsLink \
    --zone-name "privatelink.blob.core.windows.net" \
    --virtual-network MyVNet \
    --registration-enabled false

az network private-dns record-set a add-record \
    --resource-group MyResourceGroup \
    --zone-name "privatelink.blob.core.windows.net" \
    --record-set-name "mystorageaccount" \
    --ipv4-address "PRIVATE_ENDPOINT_IP_ADDRESS"
            

Verifying Connectivity

Once the private endpoint is provisioned, you can test connectivity from a virtual machine within the connected virtual network.

Ensure your VM is in the same VNet or a peered VNet.
Use tools like nslookup or dig to resolve the storage account endpoint (e.g., mystorageaccount.blob.core.windows.net). It should resolve to the private IP address of the private endpoint.
Attempt to access the storage account using its endpoint. If successful, traffic is routed through the private endpoint.

Important: When using private endpoints, ensure that public network access to your storage account is disabled (under Storage Account -> Networking -> Firewalls and virtual networks -> Public network access: Disabled) to maximize security.

Managing Private Endpoints

You can manage your private endpoints through the Azure portal or Azure CLI. This includes updating configurations, deleting endpoints, and reviewing connection status.

Scenarios and Best Practices

Securing sensitive data: Use private endpoints for storage accounts containing PII, financial data, or other sensitive information.
Hybrid connectivity: If connecting from on-premises via VPN or ExpressRoute, ensure your DNS resolution is correctly configured to point to the private endpoint IPs.
Multiple sub-resources: A single private endpoint can connect to multiple sub-resources (blob, file, queue, table) of the same storage account.
DNS configuration: Proper DNS setup is critical for private endpoints to function correctly.

Considerations: Private endpoints introduce a private IP address dependency. Ensure your subnet has sufficient IP address space. Also, be mindful of the private DNS zone management for seamless name resolution.

For more advanced scenarios or troubleshooting, refer to the official Azure Storage documentation.