Can anyone help me how to configure the data disks configuration in VM template with networking connections like disabling public access and enable private and private endpoints

Question

I have a template configuration with OS Disk and Data Disk configuration, but my requirement is want to update the network parameters of Data Disk and assign existing Disk Access to the Data Disks.

But i couldn't find any configuration for updating the template

Answer 1

Hello Mukthiyar Hussain Y S,

Greetings! Welcome to Microsoft Q&A Platform.

To update the network parameters of data disks and assign existing disk access in an Azure Resource Manager (ARM) template,

In your ARM template, you can define the data disks using the Microsoft.Compute/disks resource type. Specify the diskSizeGB, lun (logical unit number), and the vhd URI for each data disk.

Here’s an example snippet for a managed data disk:

"dataDisks": [

{

    "name": "datadisk1",

    "diskSizeGB": 1023,

    "lun": 0,

    "vhd": {

        "uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob, 'vhds/datadisk1.vhd')]"

    },

    "createOption": "Empty"

}

]

To update network parameters, ensure that your virtual machine (VM) template includes the necessary network configuration and within the networkProfile section of your VM template, specify the network interfaces (NICs) and their dependencies.

Enabling Private Endpoint with Private Access Link for Azure VM disks will provide more security and control over accessing the disk, but it does not prevent access from other Azure resources or within the Azure Virtual Network.

If you disable the public access on the Azure VM disk will restrict access from the public internet and does not provide the same level of isolation and control as using Private Endpoint and Private Access Link.

The recommendation to use Private Endpoint with Private Access Link for Azure VM disks with public access aims to provide a high secure solution that aligns with best practices for network security.

Here is the updated script to disable public access on all VM disks that have public access enabled.

    #Get all VM disks with public access enabled
    $disks = Get-AzDisk | Where-Object { $_.DiskState -eq 'Attached' -and $_.DiskSizeGB -gt 0 -and $_.PublicAccess -eq 'Enabled' }
    
    #Disable public access for each disk
    foreach ($disk in $disks) {
        Write-Host "Disabling public access for disk $($disk.Name)..."
        
        # Update the disk with public access disabled
        $disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "AllowPrivate"
        Write-Host "Public access disabled for disk $($disk.Name)."
    }

To assign existing disk access, ensure that the existing disks are already attached to the VM. You can reference the existing disks’ URIs in the vhd property of the data disks.

For example, if you have an existing OS disk, you can use its URI like this:

"osDisk": {

"name": "osdisk",

"vhd": {

    "uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob, 'vhds/osdisk.vhd')]"

},

"caching": "ReadWrite",

"createOption": "FromImage"

}

refer - https://learn.microsoft.com/en-us/azure/virtual-machines/using-managed-disks-template-deployments, https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/disks?pivots=deployment-language-arm-template, https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-template, https://learn.microsoft.com/en-us/azure/virtual-machines/disks-restrict-import-export-overview.

Similar thread for reference - https://stackoverflow.com/questions/68385774/how-to-set-os-disks-networking-to-allowprivate-private-endpoint-through-disk

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.