Since the storage account (provider) is in Team Bs Azure account and the VM (consumer) is in Team As Azure account, the Private Link setup requires collaboration between both teams.
High-level overview
- Team B (Provider) owns the storage account.
- Team A (Consumer) owns the VM and wants private access to Team Bs storage.
- A Private Link connection will be established so that Team As VM can access Team Bs storage account over the Azure backbone network.
- Team A must create a Private Endpoint in its VNet, which will connect to Team Bs storage account.
- Team B must approve this Private Endpoint request in their Azure portal.
Step-by-Step process
Step 1: Team B enables private link on the Storage account
- Team B logs into the Azure portal and navigates to their storage account.
- Under Networking > Private Endpoint Connections, they select "+ Private Endpoint".
- Team B chooses "Manual Approval" as the connection mode.
- Team B provides Team A with the required details like the storage account resource ID.
- Team B waits for Team A to create the Private Endpoint.
Step 2: Team A creates a Private Endpoint
- Team A logs into their Azure portal and goes to Private Link Center.
- They create a Private Endpoint and select Team Bs storage account as the target.
- They choose their own VNet and subnet where the VM is running.
- They submit the request for Team B to approve.
Step 3: Team B approves the Private Endpoint
- Team B navigates to Networking > Private Endpoint Connections in their storage account.
- They see a pending request from Team A.
- They approve the request, establishing the connection.
Step 4: Team A configures DNS (if needed)
- If using Azure Private DNS, the system should automatically resolve the private link.
- If not, Team A needs to manually update their DNS settings so that the storage account resolves to the Private Endpoint's IP.
Final workflow
- Team As VM sends a request to the storage accounts private endpoint.
- The traffic stays entirely within the Azure backbone network, without touching the public internet.
- The request reaches Team Bs storage account securely.
Summary of responsibilities
Step | Task | Responsible Team |
---|---|---|
1 | Enable Private Link on Storage Account | Team B |
2 | Create Private Endpoint in VNet | Team A |
3 | Approve Private Endpoint Request | Team B |
4 | Configure DNS if needed | Team A |
Effectively
- Team A initiates the Private Endpoint request in their VNet.
- Team B manages and approves the connection on the storage account.
- Traffic between Team As VM and Team Bs storage stays private.
- No public endpoints are needed, ensuring security.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin