Network routing from storage accounts
The default network routing preference option chosen for storage accounts and most Azure services will be for the Microsoft network. This is ahigh-performance, low-latency global connection to all services within Azure and serves as the fastest delivery service to any consuming service or user. This is due to Microsoft configuring several points of presence within their global network. The closest endpoint to a client is always chosen. This option costs slightly more than traversing the internet. If you selectInternet routing, then traffic will be routed in and out of the storage account outside the Microsoft network.
The following screenshot shows the setting under the Firewall and virtual networks tab on the Networking blade for your storage account:
Figure 7.10 – Storage account routing configuration
You will note there is also an option to publish route-specific endpoints for the storage account. This can be used in scenarios where you might want the default network routing option to be configured for the Microsoft network, while providing internet endpoints or vice versa. These endpoints can be found in the Endpoints section of your storage account, as shown in the following screenshot:
Figure 7.11 – Storage account – Endpoints
From this list, you may copy the endpoints that are required. Now that we have briefly observed the configuration options available for network routing on storage accounts, in the next section, we will explore a PowerShell script for configuring a private endpoint on a storage account.
PowerShell scripts
The following script creates a new private endpoint that is associated with an existing storage account. It is linked to the defined VNet and links to the first subnet within that VNet:
$storageAccount = Get-AzStorageAccount -ResourceGroupName “AZ104-Chapter7” -Name “az104xxxxxxxx”
$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name ‘myConnection’ -PrivateLinkServiceId ($storageAccount.Id)
-GroupId ‘file’;
$vnet = Get-AzVirtualNetwork -ResourceGroupName “AZ104-Chapter7” -Name “StorageVNET”
## Disable private endpoint network policy ##
$vnet.Subnets[0].PrivateEndpointNetworkPolicies=”Disabled”
$vnet | Set-AzVirtualNetwork
## Create private endpoint
New-AzPrivateEndpoint -ResourceGroupName “AZ104-Chapter7” -Name “myPrivateEndpoint” -Location “westeurope” -Subnet ($vnet.Subnets[0]) -PrivateLinkServiceConnection $privateEndpointConnection
Once this code has been run, you will have successfully created a private endpoint for your storage account. It will be linked to the VNet and subnet you defined. You can navigate to the private endpoint to discover its private IP address, which will be used for internal communication to the service going forward.