Restrict import/export access for managed disks using Azure Private Link

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

You can use private endpoints to restrict the export and import of managed disks and more securely access data over a private link from clients on your Azure virtual network. The private endpoint uses an IP address from the virtual network address space for your managed disks. Network traffic between clients on their virtual network and managed disks only traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

To use Private Link to export and import managed disks, first you create a disk access resource and link it to a virtual network in the same subscription by creating a private endpoint. Then, associate a disk or a snapshot with a disk access instance.




  • You can't import or export more than five disks or snapshots at the same time with the same disk access object.
  • You can't upload to a disk with both a disk access object and a disk encryption set.

Create a disk access resource

  1. Sign in to the Azure portal and navigate to Disk Accesses.

  2. Select + Create to create a new disk access resource.

  3. On the Create a disk accesses pane, select your subscription and a resource group. Under Instance details, enter a name and select a region.

    Screenshot of disk access creation pane. Fill in the desired name, select a region, select a resource group, and proceed.

  4. Select Review + create.

  5. When your resource has been created, navigate directly to it.

    Screenshot of the Go to resource button in the portal.

Create a private endpoint

Next, you'll need to create a private endpoint and configure it for disk access.

  1. From your disk access resource, under Settings, select Private endpoint connections.

  2. Select + Private endpoint.

    Screenshot of the overview pane for your disk access resource. Private endpoint connections is highlighted.

  3. In the Create a private endpoint pane, select a resource group.

  4. Provide a name and select the same region in which your disk access resource was created.

    Screenshot of the private endpoint creation workflow, first pane. If you do not select the appropriate region then you may encounter issues later on.

  5. Select Next: Resource.

  6. On the Resource pane, select Connect to an Azure resource in my directory.

  7. For Resource type, select Microsoft.Compute/diskAccesses.

  8. For Resource, select the disk access resource you created earlier.

  9. Leave the Target sub-resource as disks.

    Screenshot of the private endpoint creation workflow, second pane. With all the values highlighted (Resource type, Resource, Target sub-resource).

  10. Select Next : Configuration.

  11. Select the virtual network to which you will limit disk import and export. This prevents the import and export of your disk to other virtual networks.


    If you have a network security group enabled for the selected subnet, it will be disabled for private endpoints on this subnet only. Other resources on this subnet will retain network security group enforcement.

  12. Select the appropriate subnet.

    Screenshot of the private endpoint creation workflow, third pane. Virtual network and subnet emphasized.

  13. Select Review + create.

Enable private endpoint on your disk

Follow these steps:

  1. Navigate to the disk you'd like to configure.

  2. Under Settings, select Networking.

  3. Select Private endpoint (through disk access) and select the disk access you created earlier.

    Screenshot of the managed disk networking pane. Highlighting the private endpoint selection as well as the selected disk access. Saving this configures your disk for this access.

  4. Select Save.

    You've now configured a private link that you can use to import and export your managed disk. You can import using the Azure CLI or the Azure PowerShell module. You can export either Windows or Linux VHDs.