Azure Storage - Firewall and Endpoints usage

1
votes

I have recently come across the Private Endpoint feature in Azure Storage and trying to implement it for secure access from a VNet. However, I am getting access issues while using Firewall, Virtual Network Service Endpoint and Private Endpoint all together.

I have two VNets (VNet1 & VNet2) in my subscription and an on-premises machine with Public IP to connect to Azure Storage. Following is my setup.

  1. VNet1 with a Subnet enabled with Service Endpoint feature is whitelisted in Storage account firewall.
  2. Next, I have created a Private Endpoint to this storage account (for blob service) from VNet2 which is also hosted inside the same Vnet.
  3. Finally, I have whitelisted the Public IP of my on-premises VM to connect to the storage account under Firewall section.

Given the above setup, when I am trying to access this storage account blob containers inside a VM placed under VNet2, I am getting authorization issues.

May I please check if this setup is valid? Do Private Endpoint and Service Endpoint features work in Parallel?

1
azureazure-storageazure-virtual-network

1 Answers

0
votes

Yes, Private endpoints can be created in subnets that use Service Endpoints. Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.

There are multiple ways to connect to storage account :

  1. Using private endpoint (Private link) to connect to storage account : Please find the referred document here .
  2. Using Service Endpoint and Private endpoint : Please find the referred document here.

You can find more details in this public document .