Private Endpoint in Use

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box and choose Apply.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the blade navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected storage account.

06 Choose the Private endpoint connections tab and check for a approved private endpoint connection configured for each Virtual Network (VNet) associated with the selected storage account. An approved private endpoint connection is a private endpoint with the Connection State set to Approved. If there are no approved private endpoint connections available for the storage account, the selected Microsoft Azure Storage account is not using private endpoints for secure access.

07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the selected Azure subscription:

az storage account list 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].name'

02 The command output should return the requested resource identifiers (names):

[
	"mediastorageaccount",
	"prodstorageaccount",
	"project5storageaccount"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as the identifier parameter and custom query filters to describe the approved private endpoint connections created for the selected storage account:

az storage account show
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --name mediastorageaccount
  --query 'privateEndpointConnections'

04 The command output should return the configuration information available for each approved private endpoint connection:

[]

05 Repeat steps no. 3 and 4 for each storage account provisioned in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box and choose Apply.

04 Click on the name (link) of the Azure Storage account that you want to configure.

05 In the blade navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected storage account.

06 Select the Private endpoint connections tab and choose Private endpoint to create a new private endpoint connection.

07 On the Create a private endpoint setup page, perform the following operations:

1. For Basics, select the target Azure subscription, resource group, and region, and type a name for the new private endpoint connection in the Name box. The Network Interface Name will be automatically completed. The private endpoint must be in the same region as your virtual network (VNet). Choose Next : Resource > to continue the setup process.
2. For Resource, select the target sub-resource that your private endpoint will be able to access, such as a table, blob, queue, file, etc. Choose Next : Virtual Network > to continue.
3. For Virtual Network, select the Virtual Network (VNet) and VNet subnet that your storage account will be connecting to via private endpoint connection, choose whether to dynamically or statically allocate the required IP address, and configure the application security group. Choose Next : DNS > to continue the setup.
4. For DNS, choose whether to use a private DNS integration. To connect privately with your private endpoint, you must add a DNS record. If you choose to integrate with a private DNS zone, the Azure console will create the required DNS record. Choose Next : Tags > to continue.
5. For Tags, configure any required tags sets and choose Next : Review + create > to continue.
6. For Review + create, review the resource configuration details and choose Create to deploy the new, auto-approved, private endpoint for your Azure Storage account.

08 Repeat steps no. 4 – 7 for each storage account that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

01 Run network private-endpoint create command (Windows/macOS/Linux) to create a new, auto-approved, private endpoint with dynamic IP for the selected Microsoft Azure Storage account:

az network private-endpoint create
  --name cc-media-storage-private-endpoint 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd 
  --resource-group cloud-shell-storage-westeurope 
  --location westeurope 
  --vnet-name cc-azure-vnet 
  --subnet default 
  --private-connection-resource-id /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/mediastorageaccount 
  --connection-name cc-media-storage-private-connection 
  --group-id blob

02 The command output should return the configuration information available for the new private endpoint:

{
	"customDnsConfigs": [
		{
			"fqdn": "mediastorageaccount.blob.core.windows.net",
			"ipAddresses": [
				"10.0.0.15"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-media-storage-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-media-storage-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-media-storage-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"blob"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-media-storage-private-endpoint/privateLinkServiceConnections/cc-media-storage-private-connection",
			"name": "cc-media-storage-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/mediastorageaccount",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-azure-vnet/subnets/default",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

03 Repeat steps no. 1 and 2 for each storage account that you want to configure, available in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.