Connect privately to a storage account using Azure Private Endpoint

Azure Private Endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to communicate privately with Private Link resources.

In this Quickstart, you will learn how to create a VM on an Azure virtual network, a storage account with a Private Endpoint using the Azure portal. Then, you can securely access the storage account from the VM.

Sign in to Azure

Sign in to the Azure portal at https://portal.azure.com.

Create a VM

In this section, you will create virtual network and the subnet to host the VM that is used to access your Private Link Resource (a storage account in this example).

Virtual network and parameters

In this section, you will create virtual network and the subnet to host the VM that is used to access your Private Link resource.

In this section you'll need to replace the following parameters in the steps with the information below:

Parameter Value
<resource-group-name> myResourceGroup
<virtual-network-name> myVirtualNetwork
<region-name> West Central US
<IPv4-address-space> 10.1.0.0\16
<subnet-name> mySubnet
<subnet-address-range> 10.1.0.0\24

Create the virtual network

In this section, you'll create a virtual network and subnet.

  1. On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.

  2. In Create virtual network, enter or select this information in the Basics tab:

    Setting Value
    Project Details
    Subscription Select your Azure subscription
    Resource Group Select Create new, enter <resource-group-name>, then select OK, or select an existing <resource-group-name> based on parameters.
    Instance details
    Name Enter <virtual-network-name>
    Region Select <region-name>
  3. Select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the page.

  4. In the IP Addresses tab, enter this information:

    Setting Value
    IPv4 address space Enter <IPv4-address-space>
  5. Under Subnet name, select the word default.

  6. In Edit subnet, enter this information:

    Setting Value
    Subnet name Enter <subnet-name>
    Subnet address range Enter <subnet-address-range>
  7. Select Save.

  8. Select the Review + create tab or select the Review + create button.

  9. Select Create.

Create virtual machine

  1. On the upper-left side of the screen in the Azure portal, select Create a resource > Compute > Virtual machine.

  2. In Create a virtual machine - Basics, enter or select this information:

    Setting Value
    PROJECT DETAILS
    Subscription Select your subscription.
    Resource group Select myResourceGroup. You created this in the previous section.
    INSTANCE DETAILS
    Virtual machine name Enter myVm.
    Region Select WestCentralUS.
    Availability options Leave the default No infrastructure redundancy required.
    Image Select Windows Server 2019 Datacenter.
    Size Leave the default Standard DS1 v2.
    ADMINISTRATOR ACCOUNT
    Username Enter a username of your choosing.
    Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.
    Confirm Password Reenter password.
    INBOUND PORT RULES
    Public inbound ports Leave the default None.
    SAVE MONEY
    Already have a Windows license? Leave the default No.
  3. Select Next: Disks.

  4. In Create a virtual machine - Disks, leave the defaults and select Next: Networking.

  5. In Create a virtual machine - Networking, select this information:

    Setting Value
    Virtual network Leave the default MyVirtualNetwork.
    Address space Leave the default 10.1.0.0/24.
    Subnet Leave the default mySubnet (10.1.0.0/24).
    Public IP Leave the default (new) myVm-ip.
    Public inbound ports Select Allow selected ports.
    Select inbound ports Select HTTP and RDP.
  6. Select Review + create. You're taken to the Review + create page where Azure validates your configuration.

  7. When you see the Validation passed message, select Create.

Create your Private Endpoint

In this section, you will create a private storage account using a Private Endpoint to it.

  1. On the upper-left side of the screen in the Azure portal, select Create a resource > Storage > Storage account.

  2. In Create storage account - Basics, enter or select this information:

    Setting Value
    PROJECT DETAILS
    Subscription Select your subscription.
    Resource group Select myResourceGroup. You created this in the previous section.
    INSTANCE DETAILS
    Storage account name Enter mystorageaccount. If this name is taken, create a unique name.
    Region Select WestCentralUS.
    Performance Leave the default Standard.
    Account kind Leave the default Storage (general purpose v2).
    Replication Select Read-access geo-redundant storage (RA-GRS).
  3. Select Next: Networking.

  4. In Create a storage account - Networking, connectivity method, select Private Endpoint.

  5. In Create a storage account - Networking, select Add Private Endpoint.

  6. In Create Private Endpoint, enter or select this information:

    Setting Value
    PROJECT DETAILS
    Subscription Select your subscription.
    Resource group Select myResourceGroup. You created this in the previous section.
    Location Select WestCentralUS.
    Name Enter myPrivateEndpoint.
    Storage sub-resource Leave the default Blob.
    NETWORKING
    Virtual network Select MyVirtualNetwork from resource group myResourceGroup.
    Subnet Select mySubnet.
    PRIVATE DNS INTEGRATION
    Integrate with private DNS zone Leave the default Yes.
    Private DNS zone Leave the default (New) privatelink.blob.core.windows.net.
  7. Select OK.

  8. Select Review + create. You're taken to the Review + create page where Azure validates your configuration.

  9. When you see the Validation passed message, select Create.

  10. Browse to the storage account resource that you just created.

  11. Select Access Keys from the left content menu.

  12. Select Copy on the connection string for key1.

Connect to a VM from the internet

Connect to the VM myVm from the internet as follows:

  1. In the portal's search bar, enter myVm.

  2. Select the Connect button. After selecting the Connect button, Connect to virtual machine opens.

  3. Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.

  4. Open the downloaded.rdp file.

    1. If prompted, select Connect.

    2. Enter the username and password you specified when creating the VM.

      Note

      You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.

  5. Select OK.

  6. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.

  7. Once the VM desktop appears, minimize it to go back to your local desktop.

Access storage account privately from the VM

In this section, you will connect privately to the storage account using the Private Endpoint.

  1. In the Remote Desktop of myVM, open PowerShell.
  2. Enter nslookup mystorageaccount.blob.core.windows.net You'll receive a message similar to this:
    Server:  UnKnown
    Address:  168.63.129.16
    Non-authoritative answer:
    Name:    mystorageaccount123123.privatelink.blob.core.windows.net
    Address:  10.0.0.5
    Aliases:  mystorageaccount.blob.core.windows.net
    
  3. Install Microsoft Azure Storage Explorer.
  4. Select Storage accounts with the right-click.
  5. Select Connect to an azure storage.
  6. Select Use a connection string.
  7. Select Next.
  8. Enter the connection string by pasting the information previously copied.
  9. Select Next.
  10. Select Connect.
  11. Browse the Blob containers from mystorageaccount
  12. (Optionally) Create folders and/or upload files to mystorageaccount.
  13. Close the remote desktop connection to myVM.

Additional options to access the storage account:

  • Microsoft Azure Storage Explorer is a standalone free app from Microsoft that enables you to work visually with Azure storage data on Windows, macOS, and Linux. You can install the application to browse privately the storage account content.

  • The AzCopy utility is another option for high-performance scriptable data transfer for Azure storage. Use AzCopy to transfer data to and from Blob, File, and Table storage.

Clean up resources

When you're done using the Private Endpoint, storage account and the VM, delete the resource group and all of the resources it contains:

  1. Enter myResourceGroup in the Search box at the top of the portal and select myResourceGroup from the search results.
  2. Select Delete resource group.
  3. Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

In this Quickstart, you created a VM on a virtual network and storage account and a Private Endpoint. You connected to one VM from the internet and securely communicated to the storage account using Private Link. To learn more about Private Endpoint, see What is Azure Private Endpoint?.