Skip to content

Commit 38a94b6

Browse files
PMEds28PMEds28
authored
Merge pull request #245407 from asudbring/pl-diagram-storage
Change values to match new diagram for private endpoint azure storage tutorial
2 parents 060eec0 + 8fca9f9 commit 38a94b6

File tree

3 files changed

+134
-175
lines changed

3 files changed

+134
-175
lines changed

articles/private-link/media/tutorial-private-endpoint-storage/storage-tutorial-resources.png

49.7 KB
Loading

articles/private-link/tutorial-private-endpoint-storage-portal.md

Lines changed: 98 additions & 175 deletions
Original file line numberDiff line numberDiff line change
@@ -14,271 +14,194 @@ ms.custom: template-tutorial, ignite-2022
1414

1515
Azure Private endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to privately and securely communicate with Private Link resources such as Azure Storage.
1616

17-
In this tutorial, you'll learn how to:
17+
:::image type="content" source="./media/tutorial-private-endpoint-storage/storage-tutorial-resources.png" alt-text="Diagram of resources created in tutorial.":::
18+
19+
In this tutorial, you learn how to:
1820

1921
> [!div class="checklist"]
2022
> * Create a virtual network and bastion host.
23+
> * Create a storage account and disable public access.
24+
> * Create a private endpoint for the storage account.
2125
> * Create a virtual machine.
22-
> * Create a storage account with a private endpoint.
2326
> * Test connectivity to the storage account private endpoint.
2427
2528
## Prerequisites
2629

2730
* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
2831

29-
## Sign in to Azure
32+
## <a name="create-storage-account-with-a-private-endpoint"></a> Sign in to Azure
3033

3134
Sign in to the [Azure portal](https://portal.azure.com).
3235

33-
## Create a virtual network and bastion host
34-
35-
Create a virtual network, subnet, and bastion host. The virtual network and subnet will contain the private endpoint that connects to the Azure Storage Account.
36-
37-
The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
36+
[!INCLUDE [virtual-network-create-with-bastion.md](../../includes/virtual-network-create-with-bastion.md)]
3837

39-
1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual network** in the search results.
38+
[!INCLUDE [create-storage-account.md](../../includes/create-storage-account.md)]
4039

41-
2. Select **+ Create**.
40+
## Disable public access to storage account
4241

43-
3. In **Create virtual network**, enter or select this information in the **Basics** tab:
42+
Before you create the private endpoint, it's recommended to disable public access to the storage account. Use the following steps to disable public access to the storage account.
4443

45-
| Setting | Value |
46-
|------------------|------------------------------------|
47-
| **Project Details** | |
48-
| Subscription | Select your Azure subscription. |
49-
| Resource Group | Select **Create new**. </br> Enter **TutorPEstorage-rg** in **Name**. </br> Select **OK**. |
50-
| **Instance details** | |
51-
| Name | Enter **myVNet**. |
52-
| Region | Select **East US**. |
44+
1. In the search box at the top of the portal, enter **Storage account**. Select **Storage accounts** in the search results.
5345

54-
4. Select the **IP Addresses** tab or select **Next: IP Addresses**.
46+
1. Select **storage1** or the name of your existing storage account.
5547

56-
5. In the **IP Addresses** tab, enter this information:
48+
1. In **Security + networking**, select **Networking**.
5749

58-
| Setting | Value |
59-
|--------------------|----------------------------|
60-
| IPv4 address space | Enter **10.1.0.0/16**. |
50+
1. In the **Firewalls and virtual networks** tab in **Public network access**, select **Disabled**.
6151

62-
6. Under **Subnet name**, select the word **default**. If a subnet isn't listed, select **+ Add subnet**.
52+
1. Select **Save**.
6353

64-
7. In **Edit subnet**, enter this information:
54+
## Create private endpoint
6555

66-
| Setting | Value |
67-
|--------------------|----------------------------|
68-
| Subnet name | Enter **mySubnet**. |
69-
| Subnet address range | Enter **10.1.0.0/24**. |
56+
1. In the search box at the top of the portal, enter **Private endpoint**. Select **Private endpoints**.
7057

71-
8. Select **Save**.
58+
1. Select **+ Create** in **Private endpoints**.
7259

73-
9. Select the **Security** tab.
60+
1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information.
7461

75-
10. Under **BastionHost**, select **Enable**. Enter this information:
62+
| Setting | Value |
63+
| ------- | ----- |
64+
| **Project details** | |
65+
| Subscription | Select your subscription. |
66+
| Resource group | Select **test-rg** |
67+
| **Instance details** | |
68+
| Name | Enter **private-endpoint**. |
69+
| Network Interface Name | Leave the default of **private-endpoint-nic**. |
70+
| Region | Select **East US 2**. |
71+
72+
1. Select **Next: Resource**.
73+
74+
1. In the **Resource** pane, enter or select the following information.
7675

77-
| Setting | Value |
78-
|--------------------|----------------------------|
79-
| Bastion name | Enter **myBastionHost**. |
80-
| AzureBastionSubnet address space | Enter **10.1.1.0/26**. |
81-
| Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |
76+
| Setting | Value |
77+
| ------- | ----- |
78+
| Connection method | Leave the default of **Connect to an Azure resource in my directory.** |
79+
| Subscription | Select your subscription. |
80+
| Resource type | Select **Microsoft.Storage/storageAccounts**. |
81+
| Resource | Select **storage-1** or your storage account. |
82+
| Target subresource | Select **blob**. |
8283

84+
1. Select **Next: Virtual Network**.
8385

84-
11. Select the **Review + create** tab or select the **Review + create** button.
86+
1. In **Virtual Network**, enter or select the following information.
8587

86-
12. Select **Create**.
88+
| Setting | Value |
89+
| ------- | ----- |
90+
| **Networking** | |
91+
| Virtual network | Select **vnet-1 (test-rg)**. |
92+
| Subnet | Select **subnet-1**. |
93+
| Network policy for private endpoints | Select **edit** to apply Network policy for private endpoints. </br> In **Edit subnet network policy**, select the checkbox next to **Network security groups** and **Route Tables** in the **Network policies setting for all private endpoints in this subnet** pull-down. </br> Select **Save**. </br></br>For more information, see [Manage network policies for private endpoints](disable-private-endpoint-network-policy.md) |
8794

88-
It will take a few minutes for the virtual network and Azure Bastion host to deploy. Proceed to the next steps when the virtual network is created.
95+
# [**Dynamic IP**](#tab/dynamic-ip)
8996

90-
## Create a virtual machine
97+
| Setting | Value |
98+
| ------- | ----- |
99+
| **Private IP configuration** | Select **Dynamically allocate IP address**. |
91100

92-
In this section, you'll create a virtual machine that will be used to test the private endpoint.
101+
:::image type="content" source="./media/create-private-endpoint-portal/dynamic-ip-address.png" alt-text="Screenshot of dynamic IP address selection." border="true":::
93102

94-
1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.
95-
96-
2. Select **+ Create** > **Azure virtual machine**.
97-
98-
3. In **Create a virtual machine**, enter or select the following in the **Basics** tab:
99-
100-
| Setting | Value |
101-
|-----------------------|----------------------------------|
102-
| **Project Details** | |
103-
| Subscription | Select your Azure subscription. |
104-
| Resource Group | Select **TutorPEstorage-rg**. |
105-
| **Instance details** | |
106-
| Virtual machine name | Enter **myVM**. |
107-
| Region | Select **(US) East US**. |
108-
| Availability Options | Select **No infrastructure redundancy required**. |
109-
| Security type | Select **Standard**. |
110-
| Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2**. |
111-
| Size | Choose a size or leave the default setting. |
112-
| **Administrator account** | |
113-
| Username | Enter a username. |
114-
| Password | Enter a password. |
115-
| Confirm password | Reenter password. |
116-
| **Inbound port rules** | |
117-
| Public inbound ports | Select **None**. |
118-
119-
4. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.
120-
121-
5. In the Networking tab, enter or select the following information:
103+
# [**Static IP**](#tab/static-ip)
122104

123105
| Setting | Value |
124-
|-|-|
125-
| **Network interface**. | |
126-
| Virtual network | **myVNet**. |
127-
| Subnet | **mySubnet**. |
128-
| Public IP | Select **None**. |
129-
| NIC network security group | **Basic**. |
130-
| Public inbound ports | Select **None**. |
131-
132-
6. Select **Review + create**.
133-
134-
7. Review the settings, and then select **Create**.
106+
| ------- | ----- |
107+
| **Private IP configuration** | Select **Statically allocate IP address**. |
108+
| Name | Enter **ipconfig-1**. |
109+
| Private IP | Enter **10.0.0.10**. |
135110

136-
[!INCLUDE [ephemeral-ip-note.md](../../includes/ephemeral-ip-note.md)]
111+
:::image type="content" source="./media/create-private-endpoint-portal/static-ip-address.png" alt-text="Screenshot of static IP address selection." border="true":::
137112

138-
## Create storage account with a private endpoint
113+
---
139114

140-
Create a storage account and configure the private endpoint. The private endpoint uses a network interface assigned an IP address in the virtual network you created previously.
115+
1. Select **Next: DNS**.
141116

142-
1. In the search box at the top of the portal, enter **Storage account**. Select **Storage accounts** in the search results.
143-
144-
2. Select **+ Create**.
145-
146-
3. In the **Basics** tab of **Create a storage account** enter or select the following information:
147-
148-
| Setting | Value |
149-
|-----------------------|----------------------------------|
150-
| **Project Details** | |
151-
| Subscription | Select your Azure subscription. |
152-
| Resource Group | Select **TutorPEstorage-rg**. |
153-
| **Instance details** | |
154-
| Storage account name | Enter **mystorageaccount**. If the name is unavailable, enter a unique name. |
155-
| Location | Select **(US) East US**. |
156-
| Performance | Leave the default **Standard**. |
157-
| Redundancy | Select **Locally-redundant storage (LRS)**. |
158-
159-
4. Select the **Networking** tab or select **Next: Advanced** then **Next: Networking**.
160-
161-
5. In the **Networking** tab, under **Network connectivity** select **Disable public access and use private access**.
162-
163-
6. In **Private endpoint**, select **+ Add private endpoint**.
164-
165-
7. In **Create private endpoint** enter or select the following information:
166-
167-
| Setting | Value |
168-
|-----------------------|----------------------------------|
169-
| Subscription | Select your Azure subscription. |
170-
| Resource Group | Select **TutorPEstorage-rg**. |
171-
| Location | Select **East US**. |
172-
| Name | Enter **myPrivateEndpoint**. |
173-
| Storage subresource | Leave the default **blob**. |
174-
| **Networking** | |
175-
| Virtual network | Select **myVNet**. |
176-
| Subnet | Select **myVNet/mySubnet(10.1.0.0/24)**. |
177-
| **Private DNS integration**. |
178-
| Integrate with private DNS zone | Leave the default **Yes**. |
179-
| Private DNS Zone | Leave the default **(New) privatelink.blob.core.windows.net**. |
180-
181-
8. Select **OK**.
117+
1. Leave the defaults in **DNS**. Select **Next: Tags**, then **Next: Review + create**.
182118

183-
9. Select **Review**.
119+
1. Select **Create**.
184120

185-
10. Select **Create**.
121+
[!INCLUDE [create-test-virtual-machine.md](../../includes/create-test-virtual-machine.md)]
186122

187-
### Storage access key
123+
## Storage access key
188124

189-
The storage access key is required for the later steps. You'll go to the storage account you created previously and copy the connection string with the access key for the storage account.
125+
The storage access key is required for the later steps. Go to the storage account you created previously and copy the connection string with the access key for the storage account.
190126

191127
1. In the search box at the top of the portal, enter **Storage account**. Select **Storage accounts** in the search results.
192128

193-
2. Select the storage account you created in the previous steps.
129+
1. Select the storage account you created in the previous steps or your existing storage account.
194130

195-
3. In the **Security + networking** section of the storage account, select **Access keys**.
131+
1. In the **Security + networking** section of the storage account, select **Access keys**.
196132

197-
4. Select **Show**, then select copy on the **Connection string** for **key1**.
133+
1. Select **Show**, then select copy on the **Connection string** for **key1**.
198134

199-
### Add a blob container
135+
## Add a blob container
200136

201137
1. In the search box at the top of the portal, enter **Storage account**. Select **Storage accounts** in the search results.
202138

203-
2. Select the storage account you created in the previous steps.
139+
1. Select the storage account you created in the previous steps.
204140

205-
3. In the **Data storage** section, select **Containers**.
141+
1. In the **Data storage** section, select **Containers**.
206142

207-
4. Select **+ Container** to create a new container.
143+
1. Select **+ Container** to create a new container.
208144

209-
5. Enter **mycontainer** in **Name** and select **Private (no anonymous access)** under **Public access level**.
145+
1. Enter **container** in **Name** and select **Private (no anonymous access)** under **Public access level**.
210146

211-
6. Select **Create**.
147+
1. Select **Create**.
212148

213149
## Test connectivity to private endpoint
214150

215-
In this section, you'll use the virtual machine you created in the previous steps to connect to the storage account across the private endpoint using **Microsoft Azure Storage Explorer**.
151+
In this section, you use the virtual machine you created in the previous steps to connect to the storage account across the private endpoint using **Microsoft Azure Storage Explorer**.
216152

217153
1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.
218154

219-
2. Select **myVM**.
155+
1. Select **vm-1**.
220156

221-
3. On the overview page for **myVM**, select **Connect** then **Bastion**.
157+
1. In **Operations**, select **Bastion**.
222158

223-
4. Enter the username and password that you entered during the virtual machine creation.
159+
1. Enter the username and password that you entered during the virtual machine creation.
224160

225-
5. Select **Connect**.
161+
1. Select **Connect**.
226162

227-
6. Open Windows PowerShell on the server after you connect.
228-
229-
7. Enter `nslookup <storage-account-name>.blob.core.windows.net`. Replace **\<storage-account-name>** with the name of the storage account you created in the previous steps. You'll receive a message similar to what is displayed below:
163+
1. Open Windows PowerShell on the server after you connect.
164+
1. Enter `nslookup <storage-account-name>.blob.core.windows.net`. Replace **\<storage-account-name>** with the name of the storage account you created in the previous steps. The following example shows the output of the command.
230165

231166
```powershell
232167
Server: UnKnown
233168
Address: 168.63.129.16
234169
235170
Non-authoritative answer:
236-
Name: mystorageaccount.privatelink.blob.core.windows.net
237-
Address: 10.1.0.5
171+
Name: storage1.privatelink.blob.core.windows.net
172+
Address: 10.0.0.10
238173
Aliases: mystorageaccount.blob.core.windows.net
239174
```
240175
241-
A private IP address of **10.1.0.5** is returned for the storage account name. This address is in **mySubnet** subnet of **myVNet** virtual network you created previously.
242-
243-
8. Install [Microsoft Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows&toc=%2fazure%2fstorage%2fblobs%2ftoc.json) on the virtual machine.
244-
245-
9. Select **Finish** after the **Microsoft Azure Storage Explorer** is installed. Leave the box checked to open the application.
246-
247-
10. Select the **Power plug** symbol to open the **Select Resource** dialog box.
248-
249-
11. In **Select Resource** , select **Storage account or service** to add a connection in **Microsoft Azure Storage Explorer** to your storage account that you created in the previous steps.
250-
251-
12. In the **Select Connection Method** screen, select **Connection string**, and then **Next**.
252-
253-
13. In the box under **Connection String**, paste the connection string from the storage account you copied in the previous steps. The storage account name will automatically populate in the box under **Display name**.
176+
A private IP address of **10.0.0.10** is returned for the storage account name. This address is in **subnet-1** subnet of **vnet-1** virtual network you created previously.
254177
255-
14. Select **Next**.
178+
1. Install [Microsoft Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows&toc=%2fazure%2fstorage%2fblobs%2ftoc.json) on the virtual machine.
256179
257-
15. Verify the settings are correct in **Summary**.
180+
1. Select **Finish** after the **Microsoft Azure Storage Explorer** is installed. Leave the box checked to open the application.
258181
259-
16. Select **Connect**
182+
1. Select the **Power plug** symbol to open the **Select Resource** dialog box in the left-hand toolbar.
260183
261-
17. Select your storage account from the **Storage Accounts** in the explorer menu.
184+
1. In **Select Resource** , select **Storage account or service** to add a connection in **Microsoft Azure Storage Explorer** to your storage account that you created in the previous steps.
262185
263-
18. Expand the storage account and then **Blob Containers**.
186+
1. In the **Select Connection Method** screen, select **Connection string**, and then **Next**.
264187
265-
19. The **mycontainer** you created previously is displayed.
188+
1. In the box under **Connection String**, paste the connection string from the storage account you copied in the previous steps. The storage account name automatically populates in the box under **Display name**.
266189
267-
20. Close the connection to **myVM**.
190+
1. Select **Next**.
268191
269-
## Clean up resources
192+
1. Verify the settings are correct in **Summary**.
270193
271-
If you're not going to continue to use this application, delete the virtual network, virtual machine, and storage account with the following steps:
194+
1. Select **Connect**
272195
273-
1. From the left-hand menu, select **Resource groups**.
196+
1. Select your storage account from the **Storage Accounts** in the explorer menu.
274197
275-
2. Select **TutorPEstorage-rg**.
198+
1. Expand the storage account and then **Blob Containers**.
276199
277-
3. Select **Delete resource group**.
200+
1. The **container** you created previously is displayed.
278201
279-
4. Enter **TutorPEstorage-rg** in **TYPE THE RESOURCE GROUP NAME**.
202+
1. Close the connection to **vm-1**.
280203
281-
5. Select **Delete**.
204+
[!INCLUDE [portal-clean-up.md](../../includes/portal-clean-up.md)]
282205
283206
## Next steps
284207

0 commit comments

Comments
 (0)