Securing an Azure Storage Account with Private Endpoint

---

Prior to stumbling on this post, you most likely connect to/mount your Azure Storage account file share with the public share URL and access keys. But do you know there’s a more secure way? and that is what i’ll be demonstrating in this article

To achieve this, we will use a private endpoint which is part of the Azure Private link service. You might wonder what a private endpoint is? It is basically a network interface that uses a private IP address from your virtual network allowing private secure connection that does not traverse through the internet.

Now that you have an idea of the solution, let’s get right into it.

Navigate to your storage account on the Azure portal, expand the “Security + Networking” blade and click “Networking”

Select the “Private endpoints” tab and click Create private endpoint

Specify the resource group, name, NIC name and region for your private endpoint. For this demo, I’m naming my endpoint labstorage-pe

NB: The chosen region must be the same region where the storage account to be used with the private endpoint resides.

Click on “Resource” tab or Next and specify the target sub-resource that will use this endpoint, choose file since we want to authenticate to an Azure File share

Click on “Virtual Network” tab or Next, select the virtual network and subnet where the private endpoint should be deployed. Leave everything else as default.

NB: The selected subnet should be the one where your VM’s take their private IP’s

Click on “DNS” tab or Next, select “Yes” to integrate with private DNS Zone; this creates a Private DNS Zone and ensures our private connection

Click “Review + Create” to verify all configurations then “Create”

Once the deployment completes, click the search bar and type private then click on Private endpoints from the results

As you can see, our labstorage-pe private endpoint is ready to be used and we can also see the connected resources as well as the private IP that is assigned amongst other properties.

Click on the private endpoint to view more in-depth details. Another way to get the private IP assigned is by checking the DNS Configuration

Under the “Customer Visible FQDNs”, we can see the private IP and the target it maps to which is the Azure Fileshare entity of our storage account (labstorage25.file.core.windows.net)

Now that we’ve secured access, let’s connect to the Fileshare from a machine in the same subnet using the private endpoint IP like so \[Private Endpoint IP]\fileshare i.e \172.16.0.5\labshare. I have deployed a labserver VM residing in the same lab-snet subnet (172.16.0.0/24) for this purpose

Next, you’ll be prompted for username and password. these are the storage account name and access key respectively

You can get the storage account key by navigating to your storage account > Access keys then copy one of key1 or key2

Once authentication is successfull, we’ll be able to access the fileshare

To confirm we have full CRUD access, I’ll create a text file and name it file1

Then we’ll verify from the Azure Portal if the file appears on the labshare fileshare

As we can see, the file1 is present.

But we are yet to fully secure access to our Azure Storage Fileshare because the Network setting is still set to enable public access and that is what we will get rid of next.

Go to the storage account, then click on “Networking” from the “Security + Networking” blade

Public network access is currently set to Enabled from all networks, to change that; click “Manage”

To completely restrict access to the storage account from the internet, choose Disable but in this demo; we still want public access to the storage account from selected IP’s so i’ll choose Enable from selected networks

This will open another dialog where we’ll add Virtual Networks and IPv4 Addresses

• Virtual Networks allows us to add a new or exiting vnet so that resources in that vnet can securely connect to the storage account over the internet
• IPv4 Addresses allows us to add IP’s of on-prem or local machines that are not in the cloud to access the storage account

For this demo, I only want access from VMs in the lab-snet subnet of my Lab-vnet , so i’ll add an existing virtual network

In order to successfully add the vnet, a service endpoint needs to be enabled to secure access to the storage account from connected resources over the Azure Backbone network and keep traffic off the public internet

Click “Enable”

Wait for a couple of minutes for the service endpoint to provision then click “Add” to finalize

Now our virtual network has been added, click “Save” to complete the process

To put the implemented security to test, I will access the file share from my local machine like i did earlier but this time It should restrict me because my IP is not added to the IPv4 Addresses.

As you can see, It denied me access.

Next, I will do the same process from the Labserver VM used to connect via private endpoint IP earlier which should give me access because it resides in the Lab-vnet network

Voila, I have access and can see the file1 created earlier.

Access to our Azure Storage account and Azure Fileshare have now been fully secured!