Access storage account using private IP when using private endpoint - azure

I followed instructions as per https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal
Weirdly the blob GET requests only seem to work when using FQDN and not the direct private IP.
The private IP assigned to mystorageaccount.blob.core.windows.net is 10.0.0.5
GET requests to https://mystorageaccount.blob.core.windows.net/samplecontainer/1.png and https://mystorageaccount.privatelink.blob.core.windows.net/samplecontainer/1.png both work without issues and both get mapped to remote address 10.0.0.5:443
However, GET request to https://10.0.0.5/samplecontainer/1.png gives a 400 - Bad Request - Invalid Hostname error.

As I know, even if you access the Storage account without a private endpoint to download the blob, you also cannot use the IP address. Azure needs to resolve the blob endpoint via the domain name.
For the private endpoint for the storage account, the private link is also set by Azure. And the private IP address just provides a tunnel to connect the storage from the VNet. So you can access the storage blob via the domain name of the storage blob or the private link, but private IP address not.

Related

Serve public images from Blob Storage via Private Link

I see that I can do this with Azure Front Door Premium (CDN).
Azure Front Door can securely access the Storage Account via the private link while not exposing the Storage Account to the public internet, works great and very secure.
The issue is the price of Azure Front Door Premium, $330 per month minimum.
Other flavors of Azure Front door can't use the private link
Is there a more affordable way to securely connect via Private Link and serve images to public from Blob Storage? Or is Azure Front Door premium the only option?
• You surely can serve public images from Blob Storage via the private link through the private endpoint created but when accessed from the public internet, i.e., from outside the virtual network where the storage account’s private endpoint is not assigned a private IP address from the virtual network in which the private link is created. Kindly refer to the below point for more details: -
When you resolve the storage endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the storage service. When resolved from the VNet hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.
Please find the below steps for demonstrating the above stated point wherein you can serve public images from an Azure blob storage through a private endpoint: -
• For accessing a storage account through the private endpoint configured, kindly ensure that the DNS records for the storage account should be configured as below wherein the custom domain name through which the storage account’s public endpoint is accessible should be configured as below: -
Once, the custom domain name is configured, its related DNS records should be created as below for ensuring that the accessibility from inside the virtual network to the storage account through the private link created is possible. Also, create DNS records as below for that purpose: -
Thus, in this way, configuring the correct DNS records and allowing specific services access over Microsoft’s trusted network to the private endpoint created for the storage account can be very helpful in configuring the public access to the blob storage for accessing the images stored on it.
Please find the below links for more relevant information on this: -
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints?tabs=azure-portal

Azure - difference between service endpoint and private endpoint in simple terms

I am not able to understand the difference between service endpoints and private endpoints clearly.
Need help preferably with an example.
You might have seen this in the Private Link FAQ:
Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
For simplicity, let's take the view of a VM in a VNET connecting to a storage account in the same subscription and same Azure region. There are three ways to connect.
Default
By default all traffic goes against the public endpoint of the storage account. Source IP of the traffic is the Public IP of the VM.
Service Endpoints
Traffic is still directed against the public endpoint of the storage account but the source IP has changed to the private IP of the VM. In fact, the traffic is also using the VNET and Subnet as source in the network dataframe.
Private Endpoints
The PaaS service now gets a virtual network interface inside the subnet and traffic from the VM to the storage account is now directed against the private IP address.
By far the best collection of useful information around Private Link that I have seen on the web is in this repository: https://github.com/dmauser/PrivateLink
You can also find some examples here: https://jeffbrown.tech/azure-private-service-endpoint/

Is it necessary to create a private DNS zone for private endpoints to PaaS services in Azure?

Right now I'm creating some private endpoints for a number of Azure Storage services. There are two storage accounts, for the first I create a blob endpoint and a queue endpoint. For the second account I create a blob endpoint and a dfs endpoint.
When I try connecting to the endpoints from a machine outside of the VNET using the regular connection strings (that now point to the privatelink resources), I seem to not be able to reach the resource as expected. Trying to connect to it from a VM and an AKS cluster within the same VNET as the private endpoints, I am able to connect.
If these are basically my only use cases, and I'm ok using the default names to connect to the private endpoint resources, is it OK to not create a private DNS zone?
It is a bit unclear to me from the documentation whether this is a necessity.
By using private link you create an endpoint into your vnet/subnet. The private DNS is linked to your vnet and allows you to direct the traffic to that private endpoint (e.g. 10.1.0.4) by using the storage domain.
It's not nessecary to have that private DNS. But that means you'll need to connect directly to private ip address of that endpoint. While that is technically possible you'll likely run into some issues such as the server not knowing which domain is requested without host header and issues with the SSL certificate.
I would therefore recommended always using the private DNS.

How do I set a public static IP address to a storage account?

I have an Azure storage account with a blob endpoint of: 'blobstorageaccountname.blob.core.windows.net'. I want to choose a static IP Address, because some of my more zealous customers want to only allocate a known set of IP addresses through their firewall. I have already provided them with the list of Azure IP ranges for my Azure region, but they don't want to allocate such broad ranges.
Also: 1
In Azure portal | Storage | Networking | Custom domain: it says "Configure a custom domain for accessing blob data in your Azure storage account, like www.contoso.com".
If that is possible could I allocate the custom domain a static IP address?
Is it really only blob specific, what about queue endpoints? I could configure my DNS with each endpoint having a new CNAME entry.
Also: 2
Azure portal | Add new resource "Public IP Address", allows me to add a public statis IP address for a virtual network gateway (VNG?). I know it's possible to apply a static IP to a VM. How does one create or configure a VNG? or Azure VNet? to apply a static IP to a Storage endpoint?
I read these, but they were not helpful:
https://social.msdn.microsoft.com/forums/en-US/b7dbea96-5349-45c6-8774-f8c766d08e31/help-assign-static-ip-to-a-blob-storage-account?forum=windowsazuredata
Virtual Public IP address
Also posted on the Azure Docs Questions forum
As of 2022, Azure Storage service does not support public IPs, but Azure API management does.
Configuring APIm service with a public static IP, then create a 'pass through' endpoint for each storage type.
Each client's app.config needs "AzureWebJobsStorage" updated to send requests through an API Management route for each endpoint type. I am currently using a generic connection not specifying the endpoints, so each client will need updating to use the 'explicit storage endpoint connection string
Alternative to APIm: investigate dotnet YARP as a reverse proxy hosted on an Azure WebApp and manage re-routing that way.

Azure Storage - Firewall and Endpoints usage

I have recently come across the Private Endpoint feature in Azure Storage and trying to implement it for secure access from a VNet. However, I am getting access issues while using Firewall, Virtual Network Service Endpoint and Private Endpoint all together.
I have two VNets (VNet1 & VNet2) in my subscription and an on-premises machine with Public IP to connect to Azure Storage. Following is my setup.
VNet1 with a Subnet enabled with Service Endpoint feature is whitelisted in Storage account firewall.
Next, I have created a Private Endpoint to this storage account (for blob service) from VNet2 which is also hosted inside the same Vnet.
Finally, I have whitelisted the Public IP of my on-premises VM to connect to the storage account under Firewall section.
Given the above setup, when I am trying to access this storage account blob containers inside a VM placed under VNet2, I am getting authorization issues.
May I please check if this setup is valid? Do Private Endpoint and Service Endpoint features work in Parallel?
Yes, private endpoints can be created in subnets that use Service Endpoints. Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.
There are multiple ways to connect to storage account:
Using a private endpoint (private link) to connect to storage account: Please find the referred document here.
Using Service Endpoint and Private endpoint: Please find the referred document here.
You can find more details in this public document.

Resources