Understanding Private Endpoints in Azure | VM, VNet, Service Endpoint, and Storage Account Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone today we're going to go check out Azure private link this is an important concept from Azure security and Azure networking but what we can actually do is we can use private link in conjunction with something called a service endpoint to make sure that our services in Azure are only accessible from our equipment inside Azure itself rather than having to access it directly over the internet right so let's go and check this out with a whiteboard Demo First we're going to draw out something and then what I've drawn out I'm actually going to go off and build to show you how this actually all functions so let's get straight into [Music] it right so why do we want an add a private link well let's imagine we've got something inside our environment here let's go imagine if we have a storage account okay a standard storage account inside Azure and inside this storage account we're going to have some data say for example in this case it's going to be a JPEG image okay and we want to go and access this jpeg image or PNG or SVG whatever your preferred Imaging format is from a different service maybe we have over here a virtual machine okay and this virtual machine is because it's Azure has a vck and this vck is going to be attached to a v-net in our environment and maybe I've got an app application that's actually running inside this virtual machine and maybe this application or web browser if you want to be really simple with this wants to go and access that jpeg that's sitting inside an Azure storage account now this all kind of lives inside our well big Azure Cloud bubble here and you would kind of think that since both of these things are inside Azure that this application would jump straight to that store but that's not entirely true what kind of happens with this is this application because the connection to the jpeg itself is actually via https because everything's a rest API nowadays this is actually not going inside Azure this is kind of bouncing out like that it's acting essentially as an external connection that's perfectly fine because we might have other services that might need this say we want to go out to some other cloudy type service over here maybe some big box Amazon stuff and maybe there's an application in AWS that actually wants to access that jpeg as well having the ability to do that over https is great but what about if that's not what we want we only actually want access from this internal service now what we could do with this is we could use a couple of Technologies okay uh the first thing we can actually go off and use is something called a service endpoint okay and what we do with the service endpoint is we configure that actually directly here on this v-net it's a little magical link we've got service endpoints for a multitude of different services in Azure like cognitive services and SQL services in this case storage as well if I enable here this magical service endpoint inside this Azure v-net and it's called Uh Microsoft dot I think it's called it's a microsoft. storage um or service. storage you'll see it in the demo in a second anyway what this will do is it means it will take any traffic from my current virtual Network that's looking for the Azure storage structure and pipe it internally through Azure now that's nice and it still uses what looks like the existing https connections but we can go a little bit further with this as well maybe for example we wanted to treat this storage account kind of like just another file server and to do that we need to give it an IP address so what we can do is we can take Azure private link now as your private link we're actually going to go and configure that on the storage account itself over here we're going to move this magical icon down here and what Asha private link will do is it will essentially give this storage account a Nick okay we'll give it a nice little v-neck thanks to private link and we can then connect it to our v-net and because of that this vck will get an IP address in the same range this virtual machine is getting an IP address address form because it's connected to the same vet or more specifically the same subnet that the actual VM is connected to as well so what that's going to mean is if we now sit inside here inside this virtual machine and we go and access that jpeg account it's going to go AC that JPEG file it's going to go across this IP address and we will see an internal IP for Access if on the other hand we're out here on the internet we could still actually go and access that storage account to retrieve that JPEG but what we would end up seeing is an external IP address of azure that's coming out of azure's Gateway Services what we can also do on here though is to secure this a little bit further we can kind of stop this external connection and to stop this external connection we can go into the storage account again and we can go to the firewall of the storage account it's not really a firewall it's just kind of a restriction and we could basically say look I'm going to stop all traffic coming from anywhere else so anything externally here and I'm only going to allow traffic from this specific v-net inside the environment and by doing that com that combination of private links and that combination of an Azure F setting to say that this specific v-net is a okay we've essentially restricted our storage account to only being accessible from internal applications running on internal VMS or they could be existing pass applications that are connected through this specific v-net so let's go check out how this works in the demo I'm just going to go and create a new Resource Group here called storage test and we're going to dump this into us okay so once we've done that we're going to actually go and build out a virtual Network to connect some stuff too to get to kind of the same similar thing that I draw in the diagram here so we're going to pop into virtual networks we're going to go and create a new v-net inside here and we're just going to call this virtual network storage VM test which is fine okay going to go next on that one and we're going to enable the aasan server because we're going to need it to just very quickly connect to a vne in a moment okay so the basan servers as you saw um in previous demos do actually take a while to deploy but they've got faster over recent years originally Bastian servers took about 40 minutes to deploy it was crazy so while that's doing its thing let's go and build out a virtual machine as well so we're going to build out a virtual machine here and this virtual machine is going to access the storage account it's going to access stuff inside the storage account itself so again build out a very basic one we're going to use that existing Resource Group a storage test and we're going to use the name of storage VM uh for this virtual machine we can leave it in East us that's fine we don't need any infrastructure redundancy for this one at all but what we do want is we want this to run Windows Server 2022 um data center Edition you can use hot patch or non- Hot Patch if you haven't experienced Hot Patch yet uh it's a pretty new thing it means it's a specialized version of Windows that if it receives Windows updates it doesn't need to reboot for the most part okay it reduces the amount of reboots that you need there are still some that you do actually need to reboot with so we're going to leave the default sizes down here um on this and we're going to use some very basic admin usernames and passwords for this let's use that same password as we go and yes we do have an existing Windows license sure we do okay that's cool this is all in test anyway so underneath networking what we're going to do is going to make sure this is connected to that storage v-net the one that I just deployed which is great it's connected to that default subnet which is cool and we're just going to pop into monitoring and just turn off boot Diagnostics okay and then we're going to go off and review and create that now we're going to create the storage account component for this too so let's get this going give it a moment create I'll it goes come on submitting deployment there we go okay so we'll leave that rocking it's doing the deployment in progress we're going to go off and look for the storage accounts now and we're going to go create a storage account for this too so let's go and build one of these and we will call this storage account uh we'll call it storage test but I need to add something unique on the end of this so call this banana storage test banana come on there we go because this needs to be unique in the entirety of azure not just in my um not just in my tenants because this is going to form part of the URL that's used to access the storage account here on Azure we're going to make sure that's in the right resource Group inside the storage test Resource Group and we're just going to swap this redundancy around to locally redundant storage just because we don't need any of the extras on that we'll leave it on standard that's perfectly fine um and we're just going to go off and review and create that everything El should be okay inside here come on validation in progress very good okay so now those are still building we're going to need some data to go and put into this storage account to demo accessing this data in a couple of different ways so let's go do something very quick and easy let's go to images. bing.com and inside here let's go and search for banana okay and let's go and take a picture of a banana there we go that's a good one that'll do fine so we're going to save this image of this banana as banana. PNG and we'll just Chuck that directly onto the desktop at the moment okay so that's all good I promise you this is going somewhere bear with me with pictures of bananas and bear with me with what we're actually doing okay so we need to go back over to our storage account now and we need to a couple of little tweaks now what Microsoft did from a security perspective recently um i' say recently as the point I'm recording this is or as I'm as I'm saying this they changed the security settings around to lock these things down a little bit more so I can't do Anonymous access until I turn on Anonymous access now so here underneath configurations what we need to go and do is change the allow blob to Anonymous access this one here okay so I'm going to save that sometimes this doesn't take if it doesn't for you you just got to give it a minute and it will get there so let's go into containers and let's go add a container down here there we go we can do Anonymous access down here we're going to do this to container level and we're going to call this container fruit at the moment I'm doing it for anonymous access because I don't want to over complicate the demo with extra things like SAS keys inside here and extra security we're literally just showing off um the uh storage endpoints or the private endpoints here okay show how that works so we're going to pop into fruit now we're just going to upload our fruit now this could be any data of course you're not just going to store pictures of fruit inside your um inside your storage account here this is going to be things like customer data Json files whatever it might be for your organization it's just very easy to access this to show you it works so if you look at this banana. jpeg for example you'll noce it actually has a URL hooked up to it and if we just pop up notepad to have a look at that URL there is my storage test banana the name that I had before blob. windows.net fruit the name of the container and/ banana. PNG so if you take that and throw that into a web browser you'll be able to access the picture of the banana retrieved off that storage account very good the storage account is currently public accessible to the internet which is why I was able to do that through the web browser so what I want to do is I want to tweak this a little bit further let's go back to the virtual networks down here and inside this uh virtual Network for storage v-net what I want to do is I want to go to this service endpoint section and I want to go and add the Microsoft storage to this so let's go into this service endpoints over here we're going to click add and we're going to go and add the service for Microsoft storage notice there's a whole bunch of other services down here like active directory Cosmos DB cognitive which is all the Azure AI stuff down there as well but we're just choosing storage at the moment um so this is going to be linking through to my default subnet here on this virtual Network so it's going to be mapping that through whoops I accidentally clicked on the learn thing there I didn't want to do that we're going to go and add that in I need to go back now to my storage account and into the private endpoint from the storage account so let's go back into storage test banana sorry and let's go back into somewhere down here should be able to find security networking that's good we can go into networking here and we can go into private endpoint connections there we go so let's go and add in a private endpoint and we should be able to see as our Resource Group of storage test which is great we're going to name the instance the storage private endpoint and this is going to create a Nick for it this is going to create that IP address well the IP address needs to get welded to a Nick so let's go next to the resources and the target sub resource is actually going to be blob storage for us U what we've just checked out so let's go back into virtual networks and this is going to attach that default subnet inside my environment we're going to receive an IP address automatically from this which is fine uh we're going to make sure it's yeah it's definitely connected to that uh let's drop into DNS uh we don't need any tags inside here at the moment we're going to leave some private DNS registration uh turned on um so yeah tags we don't need any of those let's go review and create that so now what we've done is we've created a private endpoint and we've created that private link and there's also a Nick that's been attached to our storage account to kind of isolate it from the outside world let's go and create this um if I drop back over here though just to prove the point if I go into the whoops storage test Resource Group here you'll actually see there is the storage private endpoint and there's also a private link private DNS Zone that's been created for this as well uh on top of here to control all the DNS structures for it so now we can see there's also a Nick created for this storage private m point Nick and that's been essentially welded to this storage test banana inside here so what I want to do now is I want to go and connect to my storage virtual machine and see if we can sort of access some resources in here so let's jump into the VM itself hopefully at this point the Bastion server has also deployed so we should be able to connect via Bastion give it a [Music] moment give it a moment come on come on basan you've deployed all right cool so let's go and log in with that those details that I used before I need to allow popups as well and let's allow all of that through so if I have a look back at my storage chest banana remember we had this URL so we're going to copy that URL I'm going to paste that URL inside there we can still see our fruit banana here this is still accessible externally but if I go here into my storage VM let's just go and see if my storage virtual machine can actually access this as well so let's go and start with your data that's cool confirm and continue continue that is data yes yes just give me a web browser please so let's go and throw that inside here so inside the virtual machine that's running on the same network as the um storage account I've got access to banana but let's go check something else out let's just do a quick um command prompt inside here which is inside the virtual machine and what I'm going to do is I'm going to do an NS lookup for that so we whoops let's take the full URL off the end of it notice I'm getting 10 0005 because it's going over the local connection whereas over here which is CMB which is accessing this banana. jpeg over the internet to that storage account and I do an NS look up here what do I get whoops got to take off the details just skim back over here take that off a bit and let's look at that notice this is going over the internet so at the moment the storage account is accessible both internally and externally but let's shut off the external so let's go and secure this so let's drop back over to the storage virtual machine here not storage virtual machine sorry the storage test banana storage account and in here what we're going to do is we're going to down go down into networking and we're going to change the public network access to say not enabled from all networks but enabled from selected virtual networks and IP addresses this is putting on a firewall as they put it I mean I don't really think it's too much of a fire wall but still there is a private endpoint connection here that's the one that we're connecting through which is irrelevant from this location here we can go and add an existing virtual Network to this and we can say that anything from this virtual Network can actually still use this and anything from this subnet can actually still use this so if I look inside the virtual machine that's attached to that v-net refresh I got access to my banana but if I'm outside of that virtual machine accessing externally I've got authorization valure and you know the routine # like And subscribe and I hope you enjoyed this video and we'll join me next time goodbye

Info

Channel: Mike in the Cloud

Views: 537

Rating: undefined out of 5

Keywords:

Id: HaqiPmTi7J8

Channel Id: undefined

Length: 20min 18sec (1218 seconds)

Published: Sat Jun 22 2024