How to access a storage account blob which has a private endpoint using the Azure portal

Question

Hello everyone, I have a Vnet which has private endpoint for few PaaS application like Storage account, Azure Open AI, Keyvault etc. Although when I go through the bastion deployed in the same Vnet and nslookup, it resolves to Private IP of the Paas application but I am trying to understand if there is any way to access the blobs and other Paas application through Azure portal (Which currently gives me unauthorised error due to obvious reason) using my work laptop? Please suggest how this scenario can be achieved

Answer 1

Connect to an Azure VM running in the VNet via RDP, launch a browser within the OS of the VM, and connect to the Azure portal from there

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hello Prince Agrawal,

Greetings! Welcome to Microsoft Q&A Platform.

To achieve secure access to your Azure PaaS applications through the Azure portal, you can leverage private endpoints.

To connect Azure storage via Private Endpoint, please refer

1. https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?source=recommendations&tabs=dynamic-ip, https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip
2. https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

If you are using Managed Identity there are 2 ways to do the same. You select either one to connect to Azure storage

1. System Assigned
2. User Assigned

To configure System Assigned you can leverage the following steps. Since there was no preference for programming Language shared, using Python.

1. Grant the Managed Identity Access to the Storage Account: In your storage account, select Access Control (IAM). Click Add and select add role assignment. Search for storage blob data Owner (necessary permission as required) , select it, and click Next.
2. On the Members’ tab, under Assign access to, choose Managed Identity. Select Member a blade will open in Azure Portal on your right side.
3. On that blade select the correct subscription, Resource and from the Button Select and Click Next

1. On Review+Sign at the buttom Review + Assign

6 Use the following snippet in Azure Appservice and deploy

PythonCopy

from

To configure User Assigned you can leverage the following steps.

Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

1. Create a Managed Identity. Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp.
2. Assign the correct Role to the user-assigned Identity (created in step 1) in the Storage Account (Refer to the screenshot).

1. Assign the User Identity to the Resource where the application will be deployed, for exampleAzure App service please refer https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity
2. Please repeat the step 3 if you are deploying the code in multiple resources.

1. Log into the Dev computer's Visual Studio with the user credentials who have relevant access to the Azure storage used in Step 2.
2. Copy the Client ID for the Managed Identity created in Step 1.

7) Leverage the following demo code from your dev computer and deploy the same code in the resource configured in Step 4, which will list the containers.

PythonCopy

from

Hope this answer helps.Please let us know if you have any further queries. I’m happy to assist you further.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.