In this blog post, we will see how Azure Storage can be mapped to a Virtual Network using the Azure Private link to provide secure connectivity from an Azure VM to Azure storage PaaS service.
How to configure Azure Private link for Azure storage. In this demo, I have created two storage account in paired Azure regions
- Australia East
- Australia SouthEast
Create a new storage account
Configure this new storage account to use Azure private link
Repeated the same steps to create another storage account name –techtalkprivatestorage1 at Australia East
Once both the storage accounts are created, each storage account will create a private endpoint in the VNET and each private endpoint will also use a private IP for each private link service.
Note: if you will use multiple PaaS services for the private link, you will need to consider the sufficient private IP addresses in your VNET
Since we had also selected the integration with Azure DNS, a new Private Zone will be created and records for storage accounts will be mapped in Azure DNS Private Zone.
Once integrated with private DNS zones, both storage services can also be connected using the private IP address
Once a storage account is configured with a Private link, it will only be accessible from a VNET which is configured for private link. if somebody tries to access the storage from outside the VNET, it will receive Authorization failure error.
Since this storage account is only accessible from its associated VNET, I can now connect to the VM deployed in the same VNET and use a storage explorer to connect to the storage account.
This confirms that I can now only access this storage account from a VNET