Creating an Azure Private Endpoint Connection with Azure Storage Accounts

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to harvesting clouds where we take a practical approach to learning and leveraging clouds in this video we will see how to create a sure private endpoint for Azure storage account before watching this video I highly recommend that you take a look at the previous video where we explored the concepts of Azure private endpoint in detail you can do so by clicking on the top right corner or in the description below before jumping into the azure portal let's take a quick look at the scenario that we are going to accomplish today so in here we have a virtual network within Asha and a storage account within azure within the virtual network we also have a virtual machine so if we need to connect to the azure storage account this virtual machine needs to be able to connect to the storage account through the Internet same goes for us if we are here at the office or at our home if we want to connect to the storage account we need to connect to it through the internet now once we will deploy as your private endpoint what happens is the storage account that is extended into the virtual network and essentially it gets a private IP address from the virtual network from one of the subnet within the virtual network now this virtual machine since this also belongs to this virtual network it will be able to connect to the storage account over the private network without going to the Internet whereas we when sitting at at home or in the office without connectivity to this virtual network will still need to go through the Internet if we had any Express route or site-to-site VPN then we will also be able to connect to this storage account using its private IP address so let's jump into the azure portal and start creating the private endpoint so here I'm already logged into the azure portal to begin I will navigate to the azure storage account which is this one st harvesting finance 101 to keep things simple we will be using the azure storage account name and the access keys as a best practice I should be using shared access signature but to keep things simple I will be leveraging access keys from where will I be connecting to this storage account I have a virtual machine named as VM accounts 101 from the virtual network in front of 1v net and default subnet within that this VM is already connected as you can see - this particular virtual network and default subnet within that virtual network and this is where I'll also be connecting my storage account through private endpoint so right now if I have to connect what I'll need to do is I'll need to go into this VM so I'm already inside this VM as you can see from the name in the top left corner and to connect I'll need to right click click on connect to Azure storage and then I'll use the storage account name and key hit next display name could be anything I'll provide the name of the storage account and the access keys by the way we did Explorer as your storage Explorer in detail in one of the previous videos so if you haven't checked that before you can do so by clicking on the link in the description below so I'll hit next it will show me all the details will show me the endpoint suffix I'll click on connect to connect to this particular storage account in here I can see the different blob containers inside it and I can see the files inside it as well I can open up a command prompt from this VM and I can try to ping this particular storage account I'll append it was blob cold odd windows.net I'll not be able to ping that since ICMP is not the protocol enabled on Azure storage Explorer but the thing that I want you to notice is this IP address that is a public IP address this is the IP address which was resolved for my storage account so right now it is public IP address this is the scenario this is the situation before we have implemented the private endpoint now let's go back to the azure portal and start implementing the private endpoint to do that we have couple of ways there is something called private link and I can navigate to that and from there I can create a private endpoint with my storage account or in here on the left hand side under settings I have this option for private and find connections so from here to create a new connection all I need to do is click on this plus private endpoint and it will initiate the wizard where I can create the private endpoint I'll select a subscription and a resource group I'll provide instance details I will provide a region the private endpoint can be in a different region but it has to be in the same region as the network and then I'll select the resource I'll say that connect to a a natural resource in my directory or I can connect to an azure resource by resource ID or alias since I'm already connected to my subscription I'll select the resource from the list and the resource I am looking for is Microsoft art storage / storage accounts so in here it will list all the storage accounts in my subscription I'll find the storage account for which I want to create the private endpoint and we'll select that and then under that the sub resource is going to be blob I'll click on next to configure more configurations and the configurations are I'm going to configure our networking and DNS or later in the top I will select which virtual network and within that virtual network which subnet I'm going to connect this particular storage account to through the private endpoint and down below do I want a private DNS integration that means do I want to create a DNS name for this particular storage account and this DNS name will map to its private IP address so it will get a private IP address from this subnet so it will be something like ten dot zero dot three dot something and that IP address will have a DNS name which will look something like private link blob code windows.net so in here optionally you can provide some tags and then finally review and create as a best practice in a production scenario you should always provide tags to categorize your resources and later on that will also help you to filter out your resources through any automation or when you are pulling up your billing reports so for now I'll hit create it will initialize the deployment I'll pause the video here once I come back the deployment will be complete after a few minutes the deployment is now complete and successful as you can see from the screen now we can navigate to the private end point by clicking on this go to resource button or what we can do is we can go back to the storage account and then in here I can under settings navigate to private endpoint connections as you can see now there is a new connection that has been created for us to navigate to this particular connection I can click on this particular link under private and fine and this is the private endpoint that has been created for us essentially what it includes is a new network interface and this is that particular NIC card or network interface and this is connected to the default subnet under infra 101 v-net that we selected during the creation wizard and the private link resource it also shows here that this is the storage account down below it shows that this is the private IP address that has been assigned to this particular network interface card another interesting thing is that the fqdn the fully qualified domain name for this particular storage account will be this this match is the one that is available publicly but automatically now this will be converted to this particular PI private IP address so then you will try to connect to the storage account from end user perspective the experience will not be different from what we did before the experience will be exactly same you will be leveraging the storage account name and its access key to connect to the storage account name but when we will check for that particular storage account name what IP address it resolves to it will automatically resolve to this particular private IP address let's jump into the VM again and look at the experience in action so I'm back in the VM here again this VM is in the same network so I'll perform the ping action to that particular URL again but notice right now this particular domain name that is your storage account name dot blob dart code dot windows.net this is being resolved to a private IP address this is no longer a public IP address as it was before also you can observe here there this is being resolved to private link related URL now so the unique name for this internally is being resolved to private link dot blob dot core dot windows.net from connectivity perspective let me detach this and create the connection again I'll mention two use to ridge account name and the key hit next I will provide a display name here let's call it test connection one or two I'll switch back to the azure portal I will copy the storage account name from here and then the access key I'll hit next and then connect and I'm again able to connect to this particular storage account but as we discussed earlier behind the scene now it is connecting through the private IP address instead of using the public IP address so now my connection is much more secure now my connection is much more private than before it is never leaving the Microsoft backbone in additionally it is never leaving my virtual network the communication between the storage account and my virtual machine it's always on the same virtual network that reduces the latency and also gives me performance gains as well as the security aspect the connection is always the whole communication is always within that particular virtual network so here in this particular video we saw how to create a private endpoint and then how to connect to that particular private endpoint and what happens behind the scene with the IP address switching from public to the private through the virtual network interface being attached to that particular storage account similar service is also available for various other Azure resources like as your sequel databases as your web apps etc the experience is exactly the same from the interface perspective from the wizard perspective but we will take a look at different other resources in upcoming videos if you like the content hit that like button hit the subscribe and the bell icon to get notified of the latest content thanks for watching see you in the next one [Music]
Info
Channel: HarvestingClouds
Views: 20,034
Rating: undefined out of 5
Keywords: Microsoft, Azure, Microsoft Azure, MicrosoftAzure, Automation, Tutorial, Tutorials, How To, How-To, HowTo, harvesting, cloud, clouds, harvesting cloud, harvesting clouds, harvestingclouds, harvestingcloud, guide, ultimate, ultimate guide, private, endpoint, private endpoint, link, private link, resource, private link resource, service, private link service, virtual network, subnet, network, express route, vpn, connection, private endpoint connections, connections, storage, storage account, account, accounts
Id: lwLOGsZOV1w
Channel Id: undefined
Length: 13min 31sec (811 seconds)
Published: Sat Apr 18 2020
Related Videos
Showdown - Service Endpoints vs Private Endpoints in Microsoft Azure
HarvestingClouds
14K
Understanding DNS in Azure
John Savill's Technical Training
32K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
AZ-104 Microsoft Azure Administrator Associate Certification SUPER Study Cram
John Savill's Technical Training
49K
Azure Synapse for the Power BI developer - by Wolfgang Strasser
RADACAD
2.9K
Azure Key Vault Deep Dive (AZ-500)
John Savill's Technical Training
16K
Managed Virtual Networks and Private Endpoints in Azure Synapse and Azure Data Factory
MitchellPearson
7.2K
Azure API Management in der Cloud & on-Premise - Vorstellung & Einführung (German)
predic8
1.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.