Setup private link for storage account

Dimitrov, Radoslav 20 Reputation points
2025-04-04T11:15:07.1133333+00:00

Hello members,

I need some help understanding the guide for creating a private link for a storage account.

We are two teams, let's say team A and team B.

Team A (consumer) has apps that run in a VM in Azure in account A. Team A is strictly responsible for account A.

Team B (provider) has an azure storage account in azure account B and a portable tool that connects and uses the storage account. Team B is strictly responsible for account B.

Team A wants to run team B's tool in the VM.

We want to setup a private link between team A's VM and team B's storage account. As each azure account is managed by the respective team, it is not clear to me which team should do what.

Thanks!

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
550 questions
{count} votes

Accepted answer
  1. Marcin Policht 50,735 Reputation points MVP Volunteer Moderator
    2025-04-04T11:32:09.3066667+00:00

    Since the storage account (provider) is in Team Bs Azure account and the VM (consumer) is in Team As Azure account, the Private Link setup requires collaboration between both teams.

    High-level overview

    • Team B (Provider) owns the storage account.
    • Team A (Consumer) owns the VM and wants private access to Team Bs storage.
    • A Private Link connection will be established so that Team As VM can access Team Bs storage account over the Azure backbone network.
    • Team A must create a Private Endpoint in its VNet, which will connect to Team Bs storage account.
    • Team B must approve this Private Endpoint request in their Azure portal.

    Step-by-Step process

    Step 1: Team B enables private link on the Storage account

    1. Team B logs into the Azure portal and navigates to their storage account.
    2. Under Networking > Private Endpoint Connections, they select "+ Private Endpoint".
    3. Team B chooses "Manual Approval" as the connection mode.
    4. Team B provides Team A with the required details like the storage account resource ID.
    5. Team B waits for Team A to create the Private Endpoint.

    Step 2: Team A creates a Private Endpoint

    1. Team A logs into their Azure portal and goes to Private Link Center.
    2. They create a Private Endpoint and select Team Bs storage account as the target.
    3. They choose their own VNet and subnet where the VM is running.
    4. They submit the request for Team B to approve.

    Step 3: Team B approves the Private Endpoint

    1. Team B navigates to Networking > Private Endpoint Connections in their storage account.
    2. They see a pending request from Team A.
    3. They approve the request, establishing the connection.

    Step 4: Team A configures DNS (if needed)

    • If using Azure Private DNS, the system should automatically resolve the private link.
    • If not, Team A needs to manually update their DNS settings so that the storage account resolves to the Private Endpoint's IP.

    Final workflow

    1. Team As VM sends a request to the storage accounts private endpoint.
    2. The traffic stays entirely within the Azure backbone network, without touching the public internet.
    3. The request reaches Team Bs storage account securely.

    Summary of responsibilities

    Step Task Responsible Team
    1 Enable Private Link on Storage Account Team B
    2 Create Private Endpoint in VNet Team A
    3 Approve Private Endpoint Request Team B
    4 Configure DNS if needed Team A

    Effectively

    • Team A initiates the Private Endpoint request in their VNet.
    • Team B manages and approves the connection on the storage account.
    • Traffic between Team As VM and Team Bs storage stays private.
    • No public endpoints are needed, ensuring security.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.