Connect to a Storage Account Using an Azure Private Endpoint
Create a virtual network and bastion host
- On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.
- In Create virtual network, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select Create new.
Enter myResourceGroup in Name.
Select OK.Instance details Name Enter myVNet. Region Select East US. - Select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the page.
- In the IP Addresses tab, enter this information:
Setting Value IPv4 address space Enter 10.1.0.0/16. - Under Subnet name, select the word default.
- In Edit subnet, enter this information:
Setting Value Subnet name Enter mySubnet. Subnet address range Enter 10.1.0.0/24. - Select Save.
- Select the Security tab.
- Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost. AzureBastionSubnet address space Enter 10.1.1.0/24. Public IP Address Select Create new.
For Name, enter myBastionIP.
Select OK. - Select the Review + create tab or select the Review + create button.
- Select Create.
Create a virtual machine
- On the upper-left side of the portal, select Create a resource > Compute > Virtual machine or search for Virtual machine in the search box.
- In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVM. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2019 Datacenter – Gen2. Azure Spot instance Select No. Size Choose VM size or take default setting. Administrator account Username Enter a username. Password Enter a password. Confirm password Reenter password. - Select the Networking tab, or select Next: Disks, then Next: Networking.
- In the Networking tab, select or enter:
Setting Value Network interface. Virtual network myVNet. Subnet mySubnet. Public IP Select None. NIC network security group Basic. Public inbound ports Select None. - Select Review + create.
- Review the settings, and then select Create.
Create storage account with a private endpoint
- In the left-hand menu, select Create a resource > Storage > Storage account, or search for Storage account in the search box.
- In the Basics tab of Create storage account enter or select the following information:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Instance details Storage account name Enter mystorageaccount. If the name is unavailable, enter a unique name. Location Select (US) East US. Performance Leave the default Standard. Redundancy Select Locally-redundant storage (LRS). - Select the Networking tab or select the Next: Networking button.
- In the Networking tab, under Network connectivity select Disable public access and use private access.
- In Private endpoint, select + Add private endpoint.
- In Create private endpoint enter or select the following information:
Setting Value Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Location Select East US. Name Enter myPrivateEndpoint. Storage sub-resource Leave the default blob. Networking Virtual network Select myVNet. Subnet Select mySubnet. Private DNS integration. Integrate with private DNS zone Leave the default Yes. Private DNS Zone Leave the default (New) privatelink.blob.core.windows.net. - Select OK.
- Select Review + create.
- Select Create.
- Select Resource groups in the left-hand navigation pane.
- Select myResourceGroup.
- Select the storage account you created in the previous steps.
- In the Security + networking section of the storage account, select Access keys.
- Select Show keys, then select copy on the Connection string for key1.
Add a container
- Select Go to resource, or in the left-hand menu of the Azure portal, select All Resources > mystorageaccount.
- Under the Data storage section, select Containers.
- Select + Container to create a new container.
- Enter mycontainer in Name and select Private (no anonymous access) under Public access level.
- Select Create.
Test connectivity to private endpoint
- Select Resource groups in the left-hand navigation pane.
- Select myResourceGroup.
- Select myVM.
- On the overview page for myVM, select Connect then Bastion.
- Enter the username and password that you entered during the virtual machine creation.
- Select Connect button.
- Open Windows PowerShell on the server after you connect.
- Enter
nslookup <storage-account-name>.blob.core.windows.net. Replace <storage-account-name> with the name of the storage account you created in the previous steps. - A private IP address of 10.1.0.5 is returned for the storage account name. This address is in mySubnet subnet of myVNet virtual network you created previously.
- Install Microsoft Azure Storage Explorer on the virtual machine.
- Select Finish after the Microsoft Azure Storage Explorer is installed. Leave the box checked to open the application.
- In the Select Resource screen, select Storage account or service to add a connection in Microsoft Azure Storage Explorer to your storage account that you created in the previous steps.
- In the Select Connection Method screen, select Connection string, and then Next.
- In the box under Connection String, paste the connection string from the storage account you copied in the previous steps. The storage account name will automatically populate in the box under Display name.
- Select Next.
- Verify the settings are correct in Summary.
- Select Connect, then select mystorageaccount from the Storage Accounts left-hand menu.
- Under Blob Containers, you see mycontainer that you created in the previous steps.
- Close the connection to myVM.
Tag:Azure
