|
| 1 | +--- |
| 2 | +title: Connect to a storage account using an Azure private endpoint |
| 3 | +description: This article explains how to connect Cloud Shell to a storage account using a private endpoint. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 11/25/2024 |
| 6 | +--- |
| 7 | + |
| 8 | +# Connect to a storage account using an Azure private endpoint |
| 9 | + |
| 10 | +Azure private endpoint is the fundamental building block for Private Link in Azure. It enables Azure |
| 11 | +resources to privately and securely communicate with Private Link resources such as Azure Storage. |
| 12 | + |
| 13 | +After deploying Cloud Shell in a private virtual network, you may want to remove the public endpoint |
| 14 | +from the storage account and use a private endpoint. When you use a private endpoint, the storage |
| 15 | +account is accessible only from the virtual network where the private endpoint is created. You must |
| 16 | +also add a DNS record for the private endpoint. Without the DNS record, Cloud Shell can't connect to |
| 17 | +the storage account. Under this condition, when you start a Cloud Shell session, you see a message |
| 18 | +that you're using ephemeral storage. |
| 19 | + |
| 20 | +This article shows you how to create a private endpoint for a storage account and create the |
| 21 | +necessary DNS record. |
| 22 | + |
| 23 | +## Disable public access to storage account |
| 24 | + |
| 25 | +Before you create the private endpoint, you should disable public access to the storage account. Use |
| 26 | +the following steps to disable public access to the storage account. |
| 27 | + |
| 28 | +1. In the search box at the top of the portal, enter **Storage account**. Select **Storage |
| 29 | + accounts** in the search results. |
| 30 | +1. Select **storage1** or the name of your existing storage account. |
| 31 | +1. In **Security + networking**, select **Networking**. |
| 32 | +1. In the **Firewalls and virtual networks** tab in **Public network access**, select **Disabled**. |
| 33 | +1. Select **Save**. |
| 34 | + |
| 35 | +## Create private endpoint |
| 36 | + |
| 37 | +1. In the search box at the top of the portal, enter **Private endpoint**. Select **Private |
| 38 | + endpoints**. |
| 39 | +1. Select **+ Create** in **Private endpoints**. |
| 40 | +1. In the **Basics** tab of **Create a private endpoint**, create the following configuration: |
| 41 | + |
| 42 | + | Setting | Value | |
| 43 | + | ---------------------- | ---------------------------------------------- | |
| 44 | + | **Project details** | | |
| 45 | + | Subscription | Select your subscription. | |
| 46 | + | Resource group | Select **rg-cloudshell-eastus** | |
| 47 | + | **Instance details** | | |
| 48 | + | Name | Enter **private-endpoint**. | |
| 49 | + | Network Interface Name | Leave the default of **private-endpoint-nic**. | |
| 50 | + | Region | Select **East US 2**. | |
| 51 | + |
| 52 | +1. Select **Next: Resource**. |
| 53 | +1. In the **Resource** pane, enter or select the following information. |
| 54 | + |
| 55 | + | Setting | Value | |
| 56 | + | ------------------ | ---------------------------------------------------------------------- | |
| 57 | + | Connection method | Leave the default of **Connect to an Azure resource in my directory.** | |
| 58 | + | Subscription | Select your subscription. | |
| 59 | + | Resource type | Select **Microsoft.Storage/storageAccounts**. | |
| 60 | + | Resource | Select **myvnetstorage1138** or your storage account. | |
| 61 | + | Target subresource | Select **file**. | |
| 62 | + |
| 63 | +1. Select **Next: Virtual Network**. |
| 64 | + |
| 65 | +1. In **Virtual Network**, enter or select the following information. |
| 66 | + |
| 67 | + | Setting | Value | |
| 68 | + | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 69 | + | **Networking** | | |
| 70 | + | Virtual network | Select **vnet-cloudshell-eastus (rg-cloudshell-eastus)**. | |
| 71 | + | Subnet | Select **storagesubnet**. | |
| 72 | + | Network policy for private endpoints | Select **edit** to apply Network policy for private endpoints. </br> In **Edit subnet network policy**, select the checkbox next to **Network security groups** and **Route Tables** in the **Network policies setting for all private endpoints in this subnet** pull-down. </br> Select **Save**. </br></br>For more information, see [Manage network policies for private endpoints][01] | |
| 73 | + | **Private IP configuration** | Select **Dynamically allocate IP address**. | |
| 74 | + |
| 75 | + :::image type="content" source="./media/how-to-use-private-endpoint-storage/dynamic-ip-address.png" alt-text="Screenshot of dynamic IP address selection." border="true"::: |
| 76 | + |
| 77 | +1. Select **Next: DNS**. |
| 78 | +1. On the **DNS** tab, ensure that **Integrate with private DNS zone** is set to **Yes**. Keep the |
| 79 | + default values for the remaining fields. |
| 80 | +1. Select **Next: Tags**, then **Next: Review + create**. |
| 81 | +1. Select **Create**. |
| 82 | + |
| 83 | +<!-- link references --> |
| 84 | +[01]: /azure/private-link/disable-private-endpoint-network-policy |
0 commit comments