Share via

Traffic path between Azure storage account and Azure VM

Noushad Karuthadath 40 Reputation points
2024-05-05T14:54:32.9166667+00:00

i have a Site to site VPN from om-prem to Azure. i have azure storage account which is set to accept traffic from anywhere. i transfer some data from on-prem to Azure storage account, this will be transferred over the internet to public endpoint of storage account right ?

Also when another Azure VM reads this same data from Azure storage account in same region, will this traffic stay on the Microsoft backbone network or transferred to Azure VM via internet ?

if traffic is transferred via internet from azure storage to azure VM, in this case is Azure VM connecting to storage account public endpoint ?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,734 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,195 questions
0 comments
Accepted answer
  1. Anand Prakash Yadav 6,390 Reputation points Microsoft Vendor
    2024-05-08T09:11:17.82+00:00

    Hello Noushad Karuthadath,

    Thank you for posting your query here!

    Adding on to the previous response:

    On-prem to Azure Storage: Yes, if your Azure storage account is set to accept traffic from anywhere and there is no private link, your data transfer from on-prem to the Azure storage account will go over the internet to the public endpoint of the storage account.

    If you implement a private endpoint for your Azure Storage Account, you can extend your on-prem network into Azure via the VPN and route all traffic to the storage account through this secure, private connection. This means that any data transferred from your on-premises infrastructure to the Azure Storage would not traverse the public internet, significantly enhancing security.

    Azure VM to Azure Storage in the Same Region: If private endpoints are not used, the Azure VM will connect to the storage account's public endpoint. However, even though it's a public endpoint, the traffic between the Azure VM and the storage account, when both are in the same region, typically remains within Microsoft's Azure internal network, not traversing the public internet. This setup leverages the Azure network, optimizing for security and performance within the same regional infrastructure.

    Using private endpoints for the storage account ensures that all access from Azure VMs within the same region (or even different regions if configured) occurs over Azure’s private network. This setup restricts access to the storage account to only those resources within your Azure network, mitigating exposure to potential external threats and breaches.

    What is a private endpoint? - Azure Private Link | Microsoft Learn

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 13,020 Reputation points MVP
    2024-05-05T15:31:01.0133333+00:00

    The traffic in both scenarios will access the public endpoint of the storage account.

    The third scenario is not valid since the Azure Storage account does not "initiate" the transfer - it only responds to the request from the Azure VM. The return traffic will follow the same path.

    To avoid using the public endpoint in both scenarios, use private endpoints. More at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin