Tutorial: Connect to a storage account using an Azure Private Endpoint
Azure Private endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to privately and securely communicate with Private Link resources such as Azure Storage.
In this tutorial, you'll learn how to:
- Create a virtual network and bastion host.
- Create a virtual machine.
- Create a storage account with a private endpoint.
- Test connectivity to the storage account private endpoint.
Prerequisites
- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
Sign in to Azure
Sign in to the Azure portal.
Create a virtual network and bastion host
Create a virtual network, subnet, and bastion host. The virtual network and subnet will contain the private endpoint that connects to the Azure Storage Account.
The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
In the search box at the top of the portal, enter Virtual network. Select Virtual network in the search results.
Select + Create.
In Create virtual network, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select Create new. Enter TutorPEstorage-rg in Name. Select OK. Instance details Name Enter myVNet. Region Select East US. Select the IP Addresses tab or select Next: IP Addresses.
In the IP Addresses tab, enter this information:
Setting Value IPv4 address space Enter 10.1.0.0/16. Under Subnet name, select the word default. If a subnet isn't listed, select + Add subnet.
In Edit subnet, enter this information:
Setting Value Subnet name Enter mySubnet. Subnet address range Enter 10.1.0.0/24. Select Save.
Select the Security tab.
Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost. AzureBastionSubnet address space Enter 10.1.1.0/26. Public IP Address Select Create new. For Name, enter myBastionIP. Select OK. Select the Review + create tab or select the Review + create button.
Select Create.
It will take a few minutes for the virtual network and Azure Bastion host to deploy. Proceed to the next steps when the virtual network is created.
Create a virtual machine
In this section, you'll create a virtual machine that will be used to test the private endpoint.
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.
Select + Create > Azure virtual machine.
In Create a virtual machine, enter or select the following in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select TutorPEstorage-rg. Instance details Virtual machine name Enter myVM. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2022 Datacenter: Azure Edition - Gen2. Size Choose a size or leave the default setting. Administrator account Username Enter a username. Password Enter a password. Confirm password Reenter password. Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, enter or select the following information:
Setting Value Network interface. Virtual network myVNet. Subnet mySubnet. Public IP Select None. NIC network security group Basic. Public inbound ports Select None. Select Review + create.
Review the settings, and then select Create.
Note
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
Create storage account with a private endpoint
Create a storage account and configure the private endpoint. The private endpoint uses a network interface assigned an IP address in the virtual network you created previously.
In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
Select + Create.
In the Basics tab of Create a storage account enter or select the following information:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select TutorPEstorage-rg. Instance details Storage account name Enter mystorageaccount. If the name is unavailable, enter a unique name. Location Select (US) East US. Performance Leave the default Standard. Redundancy Select Locally-redundant storage (LRS). Select the Networking tab or select Next: Advanced then Next: Networking.
In the Networking tab, under Network connectivity select Disable public access and use private access.
In Private endpoint, select + Add private endpoint.
In Create private endpoint enter or select the following information:
Setting Value Subscription Select your Azure subscription. Resource Group Select TutorPEstorage-rg. Location Select East US. Name Enter myPrivateEndpoint. Storage subresource Leave the default blob. Networking Virtual network Select myVNet. Subnet Select myVNet/mySubnet(10.1.0.0/24). Private DNS integration. Integrate with private DNS zone Leave the default Yes. Private DNS Zone Leave the default (New) privatelink.blob.core.windows.net. Select OK.
Select Review.
Select Create.
Storage access key
The storage access key is required for the later steps. You'll go to the storage account you created previously and copy the connection string with the access key for the storage account.
In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
Select the storage account you created in the previous steps.
In the Security + networking section of the storage account, select Access keys.
Select Show, then select copy on the Connection string for key1.
Add a blob container
In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
Select the storage account you created in the previous steps.
In the Data storage section, select Containers.
Select + Container to create a new container.
Enter mycontainer in Name and select Private (no anonymous access) under Public access level.
Select Create.
Test connectivity to private endpoint
In this section, you'll use the virtual machine you created in the previous steps to connect to the storage account across the private endpoint using Microsoft Azure Storage Explorer.
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.
Select myVM.
On the overview page for myVM, select Connect then Bastion.
Enter the username and password that you entered during the virtual machine creation.
Select Connect.
Open Windows PowerShell on the server after you connect.
Enter
nslookup <storage-account-name>.blob.core.windows.net. Replace <storage-account-name> with the name of the storage account you created in the previous steps. You'll receive a message similar to what is displayed below:Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: mystorageaccount.privatelink.blob.core.windows.net Address: 10.1.0.5 Aliases: mystorageaccount.blob.core.windows.netA private IP address of 10.1.0.5 is returned for the storage account name. This address is in mySubnet subnet of myVNet virtual network you created previously.
Install Microsoft Azure Storage Explorer on the virtual machine.
Select Finish after the Microsoft Azure Storage Explorer is installed. Leave the box checked to open the application.
Select the Power plug symbol to open the Select Resource dialog box.
In Select Resource , select Storage account or service to add a connection in Microsoft Azure Storage Explorer to your storage account that you created in the previous steps.
In the Select Connection Method screen, select Connection string, and then Next.
In the box under Connection String, paste the connection string from the storage account you copied in the previous steps. The storage account name will automatically populate in the box under Display name.
Select Next.
Verify the settings are correct in Summary.
Select Connect
Select your storage account from the Storage Accounts in the explorer menu.
Expand the storage account and then Blob Containers.
The mycontainer you created previously is displayed.
Close the connection to myVM.
Clean up resources
If you're not going to continue to use this application, delete the virtual network, virtual machine, and storage account with the following steps:
From the left-hand menu, select Resource groups.
Select TutorPEstorage-rg.
Select Delete resource group.
Enter TutorPEstorage-rg in TYPE THE RESOURCE GROUP NAME.
Select Delete.
Next steps
In this tutorial, you learned how to create:
Virtual network and bastion host.
Virtual machine.
Storage account and a container.
Learn how to connect to an Azure Cosmos DB account via Azure Private Endpoint:
Feedback
Submit and view feedback for