I see that I can do this with Azure Front Door Premium (CDN).
Azure Front Door can securely access the Storage Account via the private link while not exposing the Storage Account to the public internet, works great and very secure.
The issue is the price of Azure Front Door Premium, $330 per month minimum.
Other flavors of Azure Front door can't use the private link
Is there a more affordable way to securely connect via Private Link and serve images to public from Blob Storage? Or is Azure Front Door premium the only option?
• You surely can serve public images from Blob Storage via the private link through the private endpoint created but when accessed from the public internet, i.e., from outside the virtual network where the storage account’s private endpoint is not assigned a private IP address from the virtual network in which the private link is created. Kindly refer to the below point for more details: -
When you resolve the storage endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the storage service. When resolved from the VNet hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.
Please find the below steps for demonstrating the above stated point wherein you can serve public images from an Azure blob storage through a private endpoint: -
• For accessing a storage account through the private endpoint configured, kindly ensure that the DNS records for the storage account should be configured as below wherein the custom domain name through which the storage account’s public endpoint is accessible should be configured as below: -
Once, the custom domain name is configured, its related DNS records should be created as below for ensuring that the accessibility from inside the virtual network to the storage account through the private link created is possible. Also, create DNS records as below for that purpose: -
Thus, in this way, configuring the correct DNS records and allowing specific services access over Microsoft’s trusted network to the private endpoint created for the storage account can be very helpful in configuring the public access to the blob storage for accessing the images stored on it.
Please find the below links for more relevant information on this: -
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints?tabs=azure-portal
Related
I am not able to understand the difference between service endpoints and private endpoints clearly.
Need help preferably with an example.
You might have seen this in the Private Link FAQ:
Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
For simplicity, let's take the view of a VM in a VNET connecting to a storage account in the same subscription and same Azure region. There are three ways to connect.
Default
By default all traffic goes against the public endpoint of the storage account. Source IP of the traffic is the Public IP of the VM.
Service Endpoints
Traffic is still directed against the public endpoint of the storage account but the source IP has changed to the private IP of the VM. In fact, the traffic is also using the VNET and Subnet as source in the network dataframe.
Private Endpoints
The PaaS service now gets a virtual network interface inside the subnet and traffic from the VM to the storage account is now directed against the private IP address.
By far the best collection of useful information around Private Link that I have seen on the web is in this repository: https://github.com/dmauser/PrivateLink
You can also find some examples here: https://jeffbrown.tech/azure-private-service-endpoint/
Right now I'm creating some private endpoints for a number of Azure Storage services. There are two storage accounts, for the first I create a blob endpoint and a queue endpoint. For the second account I create a blob endpoint and a dfs endpoint.
When I try connecting to the endpoints from a machine outside of the VNET using the regular connection strings (that now point to the privatelink resources), I seem to not be able to reach the resource as expected. Trying to connect to it from a VM and an AKS cluster within the same VNET as the private endpoints, I am able to connect.
If these are basically my only use cases, and I'm ok using the default names to connect to the private endpoint resources, is it OK to not create a private DNS zone?
It is a bit unclear to me from the documentation whether this is a necessity.
By using private link you create an endpoint into your vnet/subnet. The private DNS is linked to your vnet and allows you to direct the traffic to that private endpoint (e.g. 10.1.0.4) by using the storage domain.
It's not nessecary to have that private DNS. But that means you'll need to connect directly to private ip address of that endpoint. While that is technically possible you'll likely run into some issues such as the server not knowing which domain is requested without host header and issues with the SSL certificate.
I would therefore recommended always using the private DNS.
I have recently come across the Private Endpoint feature in Azure Storage and trying to implement it for secure access from a VNet. However, I am getting access issues while using Firewall, Virtual Network Service Endpoint and Private Endpoint all together.
I have two VNets (VNet1 & VNet2) in my subscription and an on-premises machine with Public IP to connect to Azure Storage. Following is my setup.
VNet1 with a Subnet enabled with Service Endpoint feature is whitelisted in Storage account firewall.
Next, I have created a Private Endpoint to this storage account (for blob service) from VNet2 which is also hosted inside the same Vnet.
Finally, I have whitelisted the Public IP of my on-premises VM to connect to the storage account under Firewall section.
Given the above setup, when I am trying to access this storage account blob containers inside a VM placed under VNet2, I am getting authorization issues.
May I please check if this setup is valid? Do Private Endpoint and Service Endpoint features work in Parallel?
Yes, private endpoints can be created in subnets that use Service Endpoints. Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.
There are multiple ways to connect to storage account:
Using a private endpoint (private link) to connect to storage account: Please find the referred document here.
Using Service Endpoint and Private endpoint: Please find the referred document here.
You can find more details in this public document.
The Azure Security Centre is great at highlighting security issues, but not so great at helping you remediate them. For example, it tells me that I should connect a Storage Account to a Private Link, but the manual remediation points me to creating the link when creating the Storage Account, so, useless for existing ones. Can it be done, and if so how?
As #Sujit Singh's comment, to connect a Storage Account to a Private Link, you need to create private endpoints for your Azure Storage accounts in your Azure virtual network (VNet). This allows clients on a VNet to securely access data over a Private Link.
The private endpoint uses an IP address from the VNet address space
for your storage account service. Network traffic between the clients
on the VNet and the storage account traverses over the VNet and a
private link on the Microsoft backbone network, eliminating exposure
from the public internet.
For an existing storage account, you can add a private endpoint from storage account ---> networking ---> private endpoint connections ---> private endpoint.
For more detailed information on creating a private endpoint for your storage account, refer to the following articles:
Connect privately to a storage account from the Storage Account experience in the Azure portal
Create a private endpoint using the Private Link Center in the Azure portal
Create a private endpoint using Azure CLI
Create a private endpoint using Azure PowerShell
I followed instructions as per https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal
Weirdly the blob GET requests only seem to work when using FQDN and not the direct private IP.
The private IP assigned to mystorageaccount.blob.core.windows.net is 10.0.0.5
GET requests to https://mystorageaccount.blob.core.windows.net/samplecontainer/1.png and https://mystorageaccount.privatelink.blob.core.windows.net/samplecontainer/1.png both work without issues and both get mapped to remote address 10.0.0.5:443
However, GET request to https://10.0.0.5/samplecontainer/1.png gives a 400 - Bad Request - Invalid Hostname error.
As I know, even if you access the Storage account without a private endpoint to download the blob, you also cannot use the IP address. Azure needs to resolve the blob endpoint via the domain name.
For the private endpoint for the storage account, the private link is also set by Azure. And the private IP address just provides a tunnel to connect the storage from the VNet. So you can access the storage blob via the domain name of the storage blob or the private link, but private IP address not.