How can I connect an existing Azure storage account to a private link?

Question

The Azure Security Centre is great at highlighting security issues, but not so great at helping you remediate them. For example, it tells me that I should connect a Storage Account to a Private Link, but the manual remediation points me to creating the link when creating the Storage Account, so, useless for existing ones. Can it be done, and if so how?

Answer 1

As @Sujit Singh's comment, to connect a Storage Account to a Private Link, you need to create private endpoints for your Azure Storage accounts in your Azure virtual network (VNet). This allows clients on a VNet to securely access data over a Private Link.

The private endpoint uses an IP address from the VNet address space for your storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

For an existing storage account, you can add a private endpoint from storage account ---> networking ---> private endpoint connections ---> private endpoint.

For more detailed information on creating a private endpoint for your storage account, refer to the following articles:

• Connect privately to a storage account from the Storage Account experience in the Azure portal
• Create a private endpoint using the Private Link Center in the Azure portal
• Create a private endpoint using Azure CLI
• Create a private endpoint using Azure PowerShell