Share via

How to access both VM and blob storage account securely without using Public IPs from the internet

Jayashankara D M 20 Reputation points Microsoft Employee
2024-05-22T13:21:19.4733333+00:00

We have a specific requirement where a VM and a blob storage account reside on the same VNet, and both have private IPs. Now, we want to access both of them from the internet using the same solution, such as a public load balancer or P2S VPN. We can't afford to have different solutions to access the VM and storage account. When I mention the internet, there are two aspects to consider: the first is a user's computer from which they will SSH into the VM to copy a file from the storage account present on the same VNet and then parse that file. The second aspect is our application deployed on a k8s cluster running on-premises, which uploads the logs to the blob storage account.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,218 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,554 questions
Azure VMware Solution
Azure VMware Solution
An Azure service that runs native VMware workloads on Azure.
358 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
449 questions
Accepted answer
  1. KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee
    2024-05-23T06:21:12.58+00:00

    @Jayashankara D M ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I am afraid your statement is misleading when you say "blob storage account reside on the same VNet".

    • A storage account cannot reside on a VNET
    • Are you talking about Private EndPoint (PE) of the Storage Account residing in the same VNET as the VM?

    I shall take it that you are using PE and frame my answer. If my assumption is incorrect, please do let me know.

    • If you want remote users to connect to your VM and PE in a VNET, you should consider using a P2S VPN only.
    • If you want your OnPrem network to connect to the VNET (VM and PE in the VNET), you should consider using a S2S VPN.
      • This means, your OnPrem should be capable of connecting to the Azure VPN gateway using a VPN Device of it's own
      • You can get a list of Validated VPN devices and device configuration guides here
    • A single VPN Gateway resource in VNET is capable of creating both a P2S Connection and S2S Connection

    Since you have a mix of OnPrem network and remote users, you can deploy both.

    With S2S and P2S, you should also take care of the DNS part,

    For P2S,

    • It is mandatory that you use a custom DNS Server located in the Azure VNET or Private DNS Resolver
    • In the P2S VPN Client configuration file, you should
    • This will make sure all DNS traffic for "blob.core.windows.net" goes to Azure and you will get the correct IP Address resolved (of PE)

    For S2S,

    • You can have your own DNS server at hardcode the value of the PE IP in the zone "blob.core.windows.net"
      • This means no need for a custom DNS Server in the Azure VNET
    • Or you can create a Forward lookup zone for "blob.core.windows.net" and send the DNS query to the custom DNS Server in the Azure VNET

    This diagram might come in handy,

    • User's image
    • Steps 1-6 is DNS resolution
    • Step 7 is connecting to PE

    Cheers,

    Kapil

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.