Connect to a storage account using an Azure private endpoint
Article
Azure private endpoint is the fundamental building block for Private Link in Azure. It enables Azure
resources to privately and securely communicate with Private Link resources such as Azure Storage.
After deploying Cloud Shell in a private virtual network, you may want to remove the public endpoint
from the storage account and use a private endpoint. When you use a private endpoint, the storage
account is accessible only from the virtual network where the private endpoint is created. You must
also add a DNS record for the private endpoint. Without the DNS record, Cloud Shell can't connect to
the storage account. Under this condition, when you start a Cloud Shell session, you see a message
that you're using ephemeral storage.
This article shows you how to create a private endpoint for a storage account and create the
necessary DNS record.
Disable public access to storage account
Before you create the private endpoint, you should disable public access to the storage account. Use
the following steps to disable public access to the storage account.
In the search box at the top of the portal, enter Storage account. Select Storage
accounts in the search results.
Select storage1 or the name of your existing storage account.
In Security + networking, select Networking.
In the Firewalls and virtual networks tab in Public network access, select Disabled.
Select Save.
Create private endpoint
In the search box at the top of the portal, enter Private endpoint. Select Private
endpoints.
Select + Create in Private endpoints.
In the Basics tab of Create a private endpoint, create the following configuration:
Setting
Value
Project details
Subscription
Select your subscription.
Resource group
Select rg-cloudshell-eastus
Instance details
Name
Enter private-endpoint.
Network Interface Name
Leave the default of private-endpoint-nic.
Region
Select East US 2.
Select Next: Resource.
In the Resource pane, enter or select the following information.
Setting
Value
Connection method
Leave the default of Connect to an Azure resource in my directory.
Subscription
Select your subscription.
Resource type
Select Microsoft.Storage/storageAccounts.
Resource
Select myvnetstorage1138 or your storage account.
Target subresource
Select file.
Select Next: Virtual Network.
In Virtual Network, enter or select the following information.
Select edit to apply Network policy for private endpoints. In Edit subnet network policy, select the checkbox next to Network security groups and Route Tables in the Network policies setting for all private endpoints in this subnet pull-down. Select Save.
Learn how to securely connect an Azure SQL server using an Azure Private Endpoint via the Azure portal, ensuring private and safe communication with your SQL server.