Private endpoints
Private endpoints provide a mechanism for Azure Storage accounts to have a private interface for a storage account and can be used to eliminate public access. They provide enhanced security over a public endpoint because they prevent unauthorized access by not being exposed publicly. When implementing a private endpoint, a Network Interface Card (NIC) is associated with the storage account and will be placed in a VNet. The traffic for the storage account will traverse the VNet to which it is associated. Private endpoints are provided through a service called Private Link.
Top Tip
For scenarios requiring advanced security, you should disable all public access to the storage account and enable a private endpoint. All traffic should be directed through a firewall for integration and a Network Security Group (NSG) should be implemented on the subnet layer to restrict unauthorized access further.
In the following demonstration, we will attach a private endpoint to a storage account:
- Navigate to the Azure portal by opening https://portal.azure.com.
- Go to the storage account we created in the previous chapter.
- On the Storage account blade, select Networking from the left menu under the Security + networking context.
- On the tab menu bar, select the Private endpoint connections tab and click + Private endpoint.
Figure 7.6 – Storage accounts – Private endpoint connections
- In the Basics tab, select the subscription, resource group, and region, then enter a name for the instance. For this demo, we will use az104privateendpoint. Click Next : Resource >.
Figure 7.7 – Private endpoint connections – Basics tab
- On the Resource tab, select the target sub-resource. This will be the type of storage being consumed from the storage account. Select file. Click Next : Configuration >.
Figure 7.8 – Private endpoint connections – Resource tab
- On the Configuration tab, enter all the networking configurations for the private endpoint. Select your VNet and subnet. For the Integrate with private DNS zone option, select No. Private DNS allows you to create a DNS entry for the private endpoint you are using on the service. This will be hosted within the private DNS zone you provision in Azure. Private DNS in Azure provides a mechanism for managing your own DNS entries hosted by Azure. We will discuss this in Chapter 14, Implementing and Managing Virtual Networking. Click Review + create.
Figure 7.9 – Private endpoint connections – Configuration tab
- Once validation has passed, click Create.
You have now successfully deployed a private endpoint. That brings us to the end of this section. We encourage you to play with this more in the next chapter, where you can follow along with a lab deployment. We will now discuss network routing on a storage account.
Top Tip
Take note that a private endpoint can also be provisioned on the creation of a storage account.