Use the Azure portal to restrict import/export access for managed disks with Private Links
Private Links support for managed disks allows you to restrict the export and import of managed disks so that it only occurs within your Azure virtual network. You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. You can also use the SAS URI to directly upload VHD to an empty disk from your on-premises. Network traffic between clients on their virtual network and managed disks only traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure to the public internet.
You can create a disk access resource and link it to your virtual network in the same subscription by creating a private endpoint. You must associate a disk or a snapshot with a disk access for exporting and importing the data via Private Links. Also, you must set the NetworkAccessPolicy property of the disk or the snapshot to
You can set the NetworkAccessPolicy property to
DenyAll to prevent anybody from generating the SAS URI for a disk or a snapshot. The default value for the NetworkAccessPolicy property is
- Only one virtual network can be linked to a disk access object.
- Your virtual network must be in the same subscription as your disk access object to link them.
- Up to 10 disks or snapshots can be imported or exported at the same time with the same disk access object.
- You cannot request manual approval to link a virtual network to a disk access object.
- Incremental snapshots cannot be exported when they are associated with a disk access object.
Create a disk access resource
Sign in to the Azure portal and navigate to Disk Access with this link.
You must use the provided link to navigate to the Disk Access blade. It is not currently visible in the public portal without using the link.
Select + Add to create a new disk access resource.
On the create blade, select your subscription, a resource group, enter a name, and select a region.
Select Review + create.
When your resource has been created, navigate directly to it.
Create a private endpoint
Now that you have a disk access resource, you can use it to handle access to your disk's export/imports, this is done through private endpoints. Accordingly, you'll need to create a private endpoint and configure it for disk access.
From your disk access resource, select Private endpoint connections.
Select + Private endpoint.
Select a resource group
Fill in the name and select the same region your disk access resource was created in.
Select Next: Resource >
On the Resource blade, select Connect to an Azure resource in my directory.
For Resource type select Microsoft.Compute/diskAccesses
For Resource select the disk access resource you created earlier
Leave the Target sub-resource as disks
Select Next : Configuration >.
Select the virtual network that you want to limit the disk export to, other virtual networks will not be able to export your disk.
If you have a network security group (NGS) enabled for the selected subnet, it will be disabled for private endpoints on this subnet only. Other resources on this subnet will still have NSG enforcement.
Select the appropriate subnet
Select Review + create.
Enable private endpoint on your disk
Navigate to the disk you'd like to configure
Select Private endpoint (through disk access) and select the disk access you created earlier.
You've now completed configuring Private Links that you can use when importing/exporting your managed disk.