You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -379,7 +379,7 @@ When you enable the **Allow trusted Microsoft services...** setting, resources o
379
379
| Azure Networking | Microsoft.Network | Store and analyze network traffic logs. [Learn more](/azure/network-watcher/network-watcher-packet-capture-overview). |
380
380
| Azure Site Recovery | Microsoft.SiteRecovery | Enable replication for disaster-recovery of Azure IaaS virtual machines when using firewall-enabled cache, source, or target storage accounts. [Learn more](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-tutorial-enable-replication). |
381
381
382
-
The **Allow trusted Microsoft services...** setting also allows a particular instance of the below services to access the storage account, if you explicitly [assign an RBAC role](storage-auth-aad.md#assign-rbac-roles-for-access-rights) to the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for that resource instance.
382
+
The **Allow trusted Microsoft services...** setting also allows a particular instance of the below services to access the storage account, if you explicitly [assign an RBAC role](storage-auth-aad.md#assign-rbac-roles-for-access-rights) to the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for that resource instance. In this case, the scope of access for the instance corresponds to the RBAC role assigned to the managed identity.
Copy file name to clipboardExpand all lines: articles/storage/common/storage-private-endpoints.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ You can use [Private Endpoints](../../private-link/private-endpoint-overview.md)
18
18
19
19
Using private endpoints for your storage account enables you to:
20
20
- Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
21
-
-Increases security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
21
+
-Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
22
22
- Securely connect to storage accounts from on-premises networks that connect to the VNet using [VPN](../../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../../expressroute/expressroute-locations.md) with private-peering.
23
23
24
24
## Conceptual Overview
@@ -30,12 +30,12 @@ Applications in the VNet can connect to the storage service over the private end
30
30
31
31
When you create a private endpoint for a storage service in your VNet, a consent request is sent for approval to the storage account owner. If the user requesting the creation of the private endpoint is also an owner of the storage account, this consent request is automatically approved.
32
32
33
-
Storage account owners can manage consent requests and the private endpoints, through the 'Private Endpoints' tab for the storage account in the [Azure portal](https://portal.azure.com).
33
+
Storage account owners can manage consent requests and the private endpoints, through the '*Private Endpoints*' tab for the storage account in the [Azure portal](https://portal.azure.com).
34
34
35
35
> [!TIP]
36
36
> If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny all access through the public endpoint.
37
37
38
-
You can secure your storage account to only accept connections from your VNet, by [configuring the storage firewall](storage-network-security.md#change-the-default-network-access-rule) to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
38
+
You can secure your storage account to only accept connections from your VNet, by [configuring the storage firewall](storage-network-security.md#change-the-default-network-access-rule) to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
39
39
40
40
### Private Endpoints for Storage Service
41
41
@@ -57,7 +57,7 @@ For more detailed information on creating a private endpoint for your storage ac
57
57
58
58
### DNS changes for Private Endpoints
59
59
60
-
Clients on a VNet can use the same connection string for the storage account even when using a private endpoint.
60
+
Clients on a VNet should use the same connection string for the storage account even when using a private endpoint.
61
61
62
62
When you create a private endpoint, we update the DNS CNAME resource record for that storage endpoint to an alias in a subdomain with the prefix '*privatelink*'. By default, we also create a [private DNS zone](../../dns/private-dns-overview.md) attached to the VNet. This private DNS zone corresponds to the subdomain with the prefix '*privatelink*', and contains the DNS A resource records for the private endpoints.
63
63
@@ -86,7 +86,7 @@ This approach enables access to the storage account **using the same connection
86
86
> Use the same connection string to connect to the storage account over private endpoints, as you'd use otherwise. Please don't connect to the storage account using its '*privatelink*' subdomain URL.
87
87
88
88
> [!TIP]
89
-
> If you're using a custom or on-premises DNS server, you should use the 'privatelink' subdomain of the storage service to configure DNS resource records for the private endpoints.
89
+
> When using a custom or on-premises DNS server, you should configure DNS resource records for private endpoints in a DNS zone corresponding to the 'privatelink' subdomain of the storage service.
90
90
91
91
The recommended DNS zone names for private endpoints for storage services are:
92
92
@@ -105,12 +105,12 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
105
105
106
106
## Known Issues
107
107
108
-
### Copy Blob failures
108
+
### Copy Blob support
109
109
110
-
Currently, [Copy Blob](https://docs.microsoft.com/rest/api/storageservices/Copy-Blob) commands issued to storage accounts accessed through private endpoints fail when the source storage account is protected by a firewall.
110
+
During the preview, we don't support [Copy Blob](https://docs.microsoft.com/rest/api/storageservices/Copy-Blob) commands issued to storage accounts accessed through private endpoints when the source storage account is protected by a firewall.
111
111
112
112
### Subnets with Service Endpoints
113
-
During the preview, you can't create a private endpoint in a subnet that has service endpoints. You can create separate subnets in the same VNet for service endpoints and private endpoints.
113
+
Currently, you can't create a private endpoint in a subnet that has service endpoints. As a workaround, you can create separate subnets in the same VNet for service endpoints and private endpoints.
114
114
115
115
### Storage access constraints for clients in VNets with Private Endpoints
0 commit comments