Azure Private Link for Azure PaaS – Azure Storage

In this blog post, we will see how Azure Storage can be mapped to a Virtual Network using the Azure Private link to provide secure connectivity from an Azure VM to Azure storage PaaS service.

Private link to PaaS services

How to configure Azure Private link for Azure storage. In this demo, I have created two storage account in paired Azure regions

  • Australia East
  • Australia SouthEast

Create a new storage account 

Configure this new storage account to use Azure private link 

Repeated the same steps to create another storage account name –techtalkprivatestorage1 at Australia East

Once both the storage accounts are created, each storage account will create a private endpoint in the VNET and each private endpoint will also use a private IP for each private link service.

Note: if you will use multiple PaaS services for the private link, you will need to consider the sufficient private IP addresses in your VNET

Private IP for each Private endpoints 

Since we had also selected the integration with Azure DNS, a new Private Zone will be created and records for storage accounts will be mapped in Azure DNS Private Zone. 

Once integrated with private DNS zones, both storage services can also be connected using the private IP address 

Azure Private DNS Zone records

Once a storage account is configured with a Private link, it will only be accessible from a VNET which is configured for private link. if somebody tries to access the storage from outside the VNET, it will receive Authorization failure error.

Authorization failure if a PaaS service is accessed outside the VNET

Since this storage account is only accessible from its associated VNET, I can now connect to the VM deployed in the same VNET and use a storage explorer to connect to the storage account. 

This confirms that I can now only access this storage account from a VNET