Forum Discussion

tasdeep's avatar
tasdeep
Copper Contributor
Jul 30, 2021
Solved

Access Blob via S2S VPN

Hi,   We have an on-prem backup solution, and we want to leverage Azure Blob storage to store the backups. We would like all data to only traverse our site-to-site VPN into Azure, therefore we don'...
  • ibnmbodji's avatar
    ibnmbodji
    Jul 31, 2021

    tasdeep 

     

    You can use private endpoint for the blob so it will be no longer accessible from the internet . 

    Benefits :  

    • Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
    • Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
    • Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

    But you need to configure dns resolution to be able to join it through VPN .  

    It means you should ensure that :  

     

    - You have a dedicated subnet for the private endpoint 

    - This subnet reside in a Vnet accessible through VPN  

    - This vnet have a custom dns  (dns forwarder )

     

     

    Use private endpoints - Azure Storage | Microsoft Docs

ibnmbodji's avatar
ibnmbodji
Iron Contributor
Jul 31, 2021

tasdeep 

 

You can use private endpoint for the blob so it will be no longer accessible from the internet . 

Benefits :  

  • Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
  • Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
  • Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

But you need to configure dns resolution to be able to join it through VPN .  

It means you should ensure that :  

 

- You have a dedicated subnet for the private endpoint 

- This subnet reside in a Vnet accessible through VPN  

- This vnet have a custom dns  (dns forwarder )

 

 

Use private endpoints - Azure Storage | Microsoft Docs

  • pazdedav's avatar
    pazdedav
    Iron Contributor
    Aug 02, 2021
    Just to add on top of what Ibrahima said: For VPN access to Azure, using Private Endpoint is the only way to connect over that tunnel.

    You could theoretically continue using a public endpoint of your Blob account and limit access from your office network (in the storage account firewall), but the traffic wouldn't go over that VPN tunnel (you have as a requirement). The last theoretical option is using Service Endpoint, but that one doesn't work from outside of Azure.

    I wrote a blog post some time ago that explain data transfers from on-prem using this pattern. It's written for Express Route, but it's very similar for VPN as well: https://dev.to/pazdedav/using-azure-express-route-for-online-data-transfers-4i9e

Resources