Edit

Share via


Connect to a storage account using an Azure private endpoint

Azure private endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources to privately and securely communicate with Private Link resources such as Azure Storage.

After deploying Cloud Shell in a private virtual network, you may want to remove the public endpoint from the storage account and use a private endpoint. When you use a private endpoint, the storage account is accessible only from the virtual network where the private endpoint is created. You must also add a DNS record for the private endpoint. Without the DNS record, Cloud Shell can't connect to the storage account. Under this condition, when you start a Cloud Shell session, you see a message that you're using ephemeral storage.

This article shows you how to create a private endpoint for a storage account and create the necessary DNS record.

Disable public access to storage account

Before you create the private endpoint, you should disable public access to the storage account. Use the following steps to disable public access to the storage account.

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
  2. Select storage1 or the name of your existing storage account.
  3. In Security + networking, select Networking.
  4. In the Firewalls and virtual networks tab in Public network access, select Disabled.
  5. Select Save.

Create private endpoint

  1. In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.

  2. Select + Create in Private endpoints.

  3. In the Basics tab of Create a private endpoint, create the following configuration:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select rg-cloudshell-eastus
    Instance details
    Name Enter private-endpoint.
    Network Interface Name Leave the default of private-endpoint-nic.
    Region Select East US 2.
  4. Select Next: Resource.

  5. In the Resource pane, enter or select the following information.

    Setting Value
    Connection method Leave the default of Connect to an Azure resource in my directory.
    Subscription Select your subscription.
    Resource type Select Microsoft.Storage/storageAccounts.
    Resource Select myvnetstorage1138 or your storage account.
    Target subresource Select file.
  6. Select Next: Virtual Network.

  7. In Virtual Network, enter or select the following information.

    Setting Value
    Networking
    Virtual network Select vnet-cloudshell-eastus (rg-cloudshell-eastus).
    Subnet Select storagesubnet.
    Network policy for private endpoints Select edit to apply Network policy for private endpoints.
    In Edit subnet network policy, select the checkbox next to Network security groups and Route Tables in the Network policies setting for all private endpoints in this subnet pull-down.
    Select Save.

    For more information, see Manage network policies for private endpoints
    Private IP configuration Select Dynamically allocate IP address.

    Screenshot of dynamic IP address selection.

  8. Select Next: DNS.

  9. On the DNS tab, ensure that Integrate with private DNS zone is set to Yes. Keep the default values for the remaining fields.

  10. Select Next: Tags, then Next: Review + create.

  11. Select Create.