Private Endpoints for Azure Storage

Azure Private Endpoints, also broadly known as Private links for Azure resources, provides a way to directly connect to resources within your tenancy without traversing over the internet, improving throughput and latency. 
A great use for Private Endpoints is with Storage accounts, which connects them to a Virtual Network, or VNet, much like an Azure VM NIC.

There are costs associated with Private Endpoints that include per-hour hosting, ingress and egress of data. You should also be aware of the following when creating a Private Endpoint for a Storage account:

  • Private Endpoint's creates a NIC that connects to a desired VNet and subnet  
  • You will need to create a Private Endpoint per Storage account
  • Private Endpoint's can be rejected or removed under the 'Private endpoint connections' blade of the Storage account, and also can be viewed or deleted under 'Private Link Center' within the Azure Portal

To start, first we need to allow our VNet and associated subnet(s) access to the Storage account:

  1. Navigate to your Storage account
  2. Select the 'Firewalls and virtual networks' blade under [Settings]
  3. Select 'Selected networks'
  4. Specify the VNet and subnet(s) to permit and select [Save]

To create the Private Endpoint:

  1. Select 'Private endpoint connections' blade under [Settings]
  2. Select [+ Private endpoint]
  3. Specify the Resource Group, name, region
  4. Subscription, Resource type (storageAccounts), Resource (Storage Account object) and Target sub-resource (blob)
  5. Select the Virtual network (VNet) and enable private DNS
  6. Confirm the settings and proceed and allow for the deployment to complete

Assuming you are using Azure-provided name resolution, connect to a VM on the subnet and do an nslookup and tracert to confirm the Storage account is now accessible on the same subnet:

tracert -d