Is it possible to give another tenant acces rights to a private link of a storage account for an Azure Files migration?

Question

Hi,

Is it possible to have another Tenant given acces to a private endpoint of a Azure Files Storage account?

We have a lot of data (150TB) that needs to be harvested/migrated to another tenant. Now they have public access based on a security key. More safe and possibly cheaper would be to migrate the data over the internal Azure network without reaching the internet.

Is there a way to do this?

Thank you very much for any help.

Best Regards,

Diederik

Answer 1

@Diederik Janson Welcome to Microsoft Q&A Forum, Thank you for posting your here!

Yes, it is possible to grant access to a private endpoint of an Azure Files storage account to another tenant.

To do this, you will need to create a Private Endpoint connection for the storage account in the Azure portal. Once the Private Endpoint connection is created, you can grant access to the other tenant by creating a Private Link Service in your Azure subscription and then sharing the Private Endpoint with the other tenant.

Here are the high-level steps you can follow to accomplish this:

1. Create a Private Endpoint connection for your Azure Files storage account using the Azure portal. This will create a private IP address for the storage account that can be accessed only from within your virtual network.
2. Create a Private Link Service in your Azure subscription that represents the Azure Files storage account.
3. Share the Private Endpoint connection with the other tenant by providing them with the Private Link Service endpoint and authorization key.

Once the other tenant has access to the Private Endpoint connection, they can connect to the Azure Files storage account over the private Azure network without reaching the internet. This provides a more secure and cost-effective way to migrate your data.

Grant access from a virtual network

You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Azure AD tenant.

Configure Azure Storage firewalls and virtual networks

Please let us know if you have any further queries. I’m happy to assist you further.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi @Diederik Janson , as far as I know, there is no requirement of same tenant when creating a private endpoint. Azure Portal may not display the option of a different tenant, so you need to create the private endpoint using other method like PowerShell, Azure CLI, Bicep, or Azure ARM template.

Please make sure that there is no policy that restricts cross-tenant private endpoint connection as described here.

Answer 3

Hi,

Thank you so much for helping me. When i am on point 2 (Create a Private Link Service in your Azure subscription that represents the Azure Files storage account.) I can't select my private endpoint from my storage account. I can only connect the private service to a load balancer. What am I doing wrong?

Do I really need the private service or can I just share the resource id of the private endpoint?

Best regards,

Diederik