Forum Discussion

miksingh's avatar
miksingh
Copper Contributor
Oct 12, 2021

Azure Storage - Private Link

Hi,   I was looking at Private Link for blob storage and I have some outstanding queries:   I setup private DNS and private link for blob storage, this gave me a DNS record similar to the followi...
pazdedav's avatar
pazdedav
MVP
Oct 13, 2021

Hi miksingh ,

 

The reason your final test "passed" even though you expected it to "fail" is because 'firewall and virtual network' configuration is only used for configuring either the public endpoint or a service endpoint, but not the private endpoint. So this is a correct behavior.

 

That is why you have two "tabs" in the "Networking" blade. Private Endpoints are seen as a superior option over Service Endpoints because you are targeting a specific Storage Account instance, rather than the Storage Service in each region.

 

What most of my customers do, when they want to allow only private connectivity to storage accounts, is to:

  • enable Private Endpoint from a VNet/subnet that hosts workloads that need to access blobs or files
  • use 'Firewalls and Virtual Networks' configuration to block any other access (either using the public endpoint/IP or service endpoints). They don't add any VNets in this configuration!

Please note that Private Endpoints are designed to work also from peered VNets or on-prem networks connected via VPN or Express Route (as long as you configure those networks to resolve your storage account FQDN using the private DNS zone, which is more complex topic for cross-premises configuration).