To access an Azure Storage Account using private IPs from within another Virtual Network (VNet) in your company, you can configure Private Endpoint access. Here’s how you can set this up:
1. Configure a Private Endpoint for the Storage Account
A Private Endpoint assigns a private IP address to the storage account within your company’s virtual network, allowing secure access from private IPs.
Steps:
- Navigate to the Storage Account:
- Go to the Azure Portal and select your Storage Account.
- Create a Private Endpoint:
- Go to Networking > Private endpoint connections > + Add Private Endpoint.
- Specify the:
- Name: A descriptive name for the endpoint.
- Resource: The storage account.
- Resource type:
Microsoft.Storage/storageAccounts. - Target sub-resource: Select
blob,file,queue, ortablebased on the services you need.
- Choose the Virtual Network:
- Select the VNet and subnet where the private endpoint will be created.
- Ensure the subnet has no overlapping NSGs or routing rules that block private endpoint access.
- Configure DNS Integration (Optional):
- Enable Azure DNS Private Zones for the private endpoint.
- This ensures the storage account’s public FQDN (
<accountname>.blob.core.windows.net) resolves to the private IP address.
- Review and Create:
- Review your settings and create the private endpoint.
2. Enable VNet Peering
If the storage account’s private endpoint is in a different VNet than the one from which you’re accessing it, you need VNet peering to establish connectivity between the two VNets.
Steps:
- Go to the Virtual Network Settings:
- Navigate to the source VNet from where you want to access the storage account.
- Create a Peering Connection:
- Go to Peerings > + Add.
- Configure the peering with the following:
- Peering link name: A name for the peering.
- Remote VNet: Select the VNet containing the storage account’s private endpoint.
- Enable Allow virtual network access in both directions.
- Complete the Peering Setup:
- Repeat the steps for the other VNet if bidirectional access is required.
3. Update DNS Configuration
For machines in the other VNet to resolve the storage account’s private IP:
- Use Azure DNS Private Zones (Recommended):
- If you enabled DNS integration when creating the private endpoint, Azure will automatically update DNS records in the linked private DNS zone.
- Ensure your VNet has access to the private DNS zone.
- Go to the DNS zone and select Virtual network links > + Add.
- Link the DNS zone to your VNet.
- Custom DNS Servers:
- If you use custom DNS servers, ensure they resolve the storage account’s private FQDN to the private endpoint IP.
- Add an entry for the storage account in your custom DNS configuration.
<storage_account_name>.blob.core.windows.net -> <private_endpoint_ip>
4. Update Storage Account Firewall Rules
You may have whitelisted proxy IPs in the storage account. To allow private endpoint traffic, you need to adjust the firewall:
- Go to Networking > Firewalls and virtual networks in the storage account.
- Select Enabled from selected virtual networks and IP addresses.
- Add the virtual network containing the private endpoint under Virtual networks.
- Save the changes.
5. Test the Access
- From a VM or service within the second VNet, try accessing the storage account using its private endpoint FQDN or IP. Example (Access Blob via CLI):
az storage blob list --container-name <container-name> --account-name <storage-account-name> --auth-mode key - Use tools like
nslookuporpingto confirm the storage account resolves to the private IP address.
Key Considerations
- Ensure network security group (NSG) rules allow traffic between VNets.
- If you have firewalls in place, ensure they don’t block private endpoint traffic.
- Verify that DNS resolution for the storage account’s public FQDN resolves to the private endpoint IP.