Use the Azure portal to restrict import/export access for managed disks with Private Links

Private Links support for managed disks allows you to restrict the export and import of managed disks so that it only occurs within your Azure virtual network. You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. You can also use the SAS URI to directly upload VHD to an empty disk from your on-premises. Network traffic between clients on their virtual network and managed disks only traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure to the public internet.

You can create a disk access resource and link it to your virtual network in the same subscription by creating a private endpoint. You must associate a disk or a snapshot with a disk access for exporting and importing the data via Private Links. Also, you must set the NetworkAccessPolicy property of the disk or the snapshot to AllowPrivate.

You can set the NetworkAccessPolicy property to DenyAll to prevent anybody from generating the SAS URI for a disk or a snapshot. The default value for the NetworkAccessPolicy property is AllowAll.

Limitations

  • Only one virtual network can be linked to a disk access object.
  • Your virtual network must be in the same subscription as your disk access object to link them.
  • Up to 10 disks or snapshots can be imported or exported at the same time with the same disk access object.
  • You cannot request manual approval to link a virtual network to a disk access object.
  • Incremental snapshots cannot be exported when they are associated with a disk access object.

Create a disk access resource

  1. Sign in to the Azure portal and navigate to Disk Access with this link.

    Important

    You must use the provided link to navigate to the Disk Access blade. It is not currently visible in the public portal without using the link.

  2. Select + Add to create a new disk access resource.

  3. On the create blade, select your subscription, a resource group, enter a name, and select a region.

  4. Select Review + create.

    Screenshot of disk access creation blade. Fill in the desired name, select a region, select a resource group, and proceed

When your resource has been created, navigate directly to it.

Screenshot of the Go to resource button in the portal

Create a private endpoint

Now that you have a disk access resource, you can use it to handle access to your disk's export/imports, this is done through private endpoints. Accordingly, you'll need to create a private endpoint and configure it for disk access.

  1. From your disk access resource, select Private endpoint connections.

  2. Select + Private endpoint.

    Screenshot of the overview blade for your disk access resource. Private endpoint connections is highlighted.

  3. Select a resource group

  4. Fill in the name and select the same region your disk access resource was created in.

  5. Select Next: Resource >

    Screenshot of the private endpoint creation workflow, first blade. If you do not select the appropriate region then you may encounter issues later on.

  6. On the Resource blade, select Connect to an Azure resource in my directory.

  7. For Resource type select Microsoft.Compute/diskAccesses

  8. For Resource select the disk access resource you created earlier

  9. Leave the Target sub-resource as disks

  10. Select Next : Configuration >.

    Screenshot of the private endpoint creation workflow, second blade. With all the values highlighted (Resource type, Resource, Target sub-resource)

  11. Select the virtual network that you want to limit the disk export to, other virtual networks will not be able to export your disk.

    Note

    If you have a network security group (NGS) enabled for the selected subnet, it will be disabled for private endpoints on this subnet only. Other resources on this subnet will still have NSG enforcement.

  12. Select the appropriate subnet

  13. Select Review + create.

    Screenshot of the private endpoint creation workflow, third blade. Virtual network and subnet emphasized.

Enable private endpoint on your disk

  1. Navigate to the disk you'd like to configure

  2. Select Networking

  3. Select Private endpoint (through disk access) and select the disk access you created earlier.

  4. Select Save.

    Screenshot of the managed disk networking blade. Highlighting the private endpoint selection as well as the selected disk access. Saving this configures your disk for this access.

You've now completed configuring Private Links that you can use when importing/exporting your managed disk.

Next steps