min.io Azure Gateway

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

Overview and deployed resources

This template deploys an AKS cluster running min.io configured as an Azure storage gateway to provision a private S3 API into a VNET to enable the deployment of solutions which have a dependency on S3 object storage.

The deployment provides the following:

  • Storage account with Private Endpoint
  • Private DNS zone to enable Private Link
  • AKS cluster with cluster autoscaler enabled
  • Installation of min.io Helm chart
  • Internal Standard Load Balancer exposing the min.io S3 endpoint

This is an overview of the solution

The following resources are deployed as part of the solution


  • min.io Storage Account: Storage account backing the S3 endpoint presented by min.io
  • Deployment Script Storage Account: Storage account used as file share for deployment script resource, including inputs and logs


  • Virtual Network: Virtual Network within which all resources are provisioned
  • Private Endpoint: Private Endpoint to enable private access to min.io Storage Account
  • Private Endpoint Network Interface: Network Interface bound to Private Endpoint
  • Private DNS Zone: Private DNS zone to support private connectivity to Storage Account


  • AKS Cluster: Managed Kubernetes cluster as runtime environment for min.io containers
  • Azure Container Instance: Container Instance used as Deployment Script runtime for installation of min.io


  • Managed Identity: Managed Identity bound to Deployment Script resource
  • Role Assignment: Provides roles required for execution of Deployment Script


An Azure subscription with available compute quota to deploy the AKS cluster

Deployment steps

You can click the "deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo.


The deployment contains an output which provides the private IP address of the S3 endpoint. This API requires the storage account name and key for authentication.


As connectivity to the min.io service is fully private within the VNET, you must follow these steps to access the min.io web UI from your client device:

  • Use the Azure CLI to obtain the storage account key
  • Use the Azure CLI to authenticate with the AKS cluster
  • Execute kubectl get pods and capture one of the pod names, such as minio-55c5f4ccd5-7t9t7
  • Execute kubectl port-forward [pod name] 9000 to establish a tunnel to the pod
  • Browse to http://localhost:9000 to access the web UI
  • Use the storage account name and key to authenticate with the web UI

Tags: splunk, min.io, minio, smartstore, s3, Microsoft.Network/virtualNetworks, Microsoft.Storage/storageAccounts, blobServices/containers, Microsoft.Network/privateDnsZones, virtualNetworkLinks, Microsoft.Network/privateEndpoints, Microsoft.Network/privateEndpoints/privateDnsZoneGroups, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleAssignments, Microsoft.Resources/deploymentScripts, UserAssigned, Microsoft.ContainerService/managedClusters, SystemAssigned, VirtualMachineScaleSets