13,724 questions
Access Azure Storage account cross tenant
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 88%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Ashwin Venkatesha
230
Reputation points
The problem statement is, I have an application that resides in consumer tenant and a storage account that resides in provider tenant. My application needs to access this storage account. Moreover, this storage account does not have public network access enabled.
My approach is this:
Provider tenant:
- Ensure storage account's version is v2 since private endpoints are not supported on v1.
- Save the resource ID of storage account.
Consumer tenant: let us suppose the application that needs access to storage account is in eastus2 region.
- Create a virtual network with a subnet in eastus2 region.
- Create a private dns zone.
- Link the vnet with the private dns zone.
- Create a private endpoint with resource ID of the storage account in provider tenant. Ensure it is created in eastus2 region itself.
- Configure dns zone settings of private endpoint and point the config to the vnet created in eastus2 region above.
- Create an "A" record inside recordsets where name is the storage account's name.The problem statement is, I have an application that resides in consumer tenant and a storage account that resides in provider tenant. My application needs to access this storage account. Moreover, this storage account does not have public network access enabled. My approach is this: Provider tenant:
- Ensure storage account's version is v2 since private endpoints are not supported on v1.
- Save the resource ID of storage account.
- Create a virtual network with a subnet in eastus2 region.
- Create a private dns zone.
- Link the vnet with the private dns zone.
- Create a private endpoint with resource ID of the storage account in provider tenant. Ensure it is created in eastus2 region itself.
- Configure dns zone settings of private endpoint and point the config to the vnet created in eastus2 region above.
- Create an "A" record inside recordsets where name is the storage account's name.
For example, if storage account name is myStorage, then the record is an entry for myStorage.privatelink.blob.core.windows.net with private ip of vnet.
Now go back to provider tenant:
- Approve the pending private endpoint connection from consumer tenant
- Go to the storage account -> private endpoints
- Should see the same endpoint that was created in consumer.
I have testing this approach and I see that my application is able to list the storage contents when storage account's networking options has cut off public access completely.
Traffic is going via Microsoft backbone network only.
What I realized with this approach is that, I need to create a private endpoint for each storage account I want to access in provider tenant. This leads to multiple endpoints and its associated costs.
What are alternative approaches?
Microsoft Security | Microsoft Graph
Sign in to answer