Securing access to PaaS resources such as Storage Accounts in Azure can be a valid concern for IT professionals as more and more services are moved to the Azure public cloud. Here I will walk you through how to set up private access to a storage account by setting up private endpoints and utilizing Private DNS Zones in Azure. This setup ensures that traffic to your PaaS resources in Azure do not go over the public internet and remain in Microsoft’s Azure Network.
What is a Private Endpoint?
A Private Endpoint is a NIC that gets attached to a Virtual Network in Azure. You can then associate this NIC to a service such as a Storage Account, Azure Key Vault, etc. This allows your Azure PaaS resource to be given a private IP address, and allows you to access the resource through this private IP address instead of it’s public one.
Here is what a storage account in Azure resolves to normally with no private endpoint set up. As you can see, it resolves to a public IP address. Meaning you will go through the internet to access your storage account. If you are concerned about security, you can utilize private endpoints to not allow access through this. You will need to set up Private Endpoints though.
Here is what the dns query resolves to after we are all set up. As you can see, it resolves to a private IP. Enabling you to access the storage account without traversing the internet.
To get this set up. Here is what we will configure:
- PaaS Resource such as Storage Accounts, Key Vaults, etc
- Virtual Networks
- Private Endpoint
- Private DNS Zone
Here is what the topology will look like.
The vnet called vnet-sharedservices-dev-westus2-001 will be our hub in this topology. The vnet, vnet-ad-dev-westus2-001 will act as a spoke vnet. In our vnet-sharedservices-dev-westus2-001, we will have our storage account and our private endpoint. We will also have our custom DNS server on here. The reason we need a DNS server here (or Azure Private DNS Resolver), is because by default, every Azure Virtual Network uses the default Azure DNS server. Which is, 168.63.129.16. However, this is unique to every virutal network in azure. Therefore, if there is a VM, private endpoint, etc. in that Virtual Network, and in another virtual network we have a VM use that same IP as its DNS server, it will not resolve. It must be on the same virtual network for private DNS resolution to work. Therefore, we must have some sort of DNS VM in our shared services virtual network. Also, for this topology to work, Both Vnets must be peered. Lets get started.
Steps to Set Up Private Access
- Navigate to your Azure Storage Account, and select the Networking section. Click the add Private Endpoint button.
2. Name your private endpoint and select a resource group to place it in.
3. Select the type of storage account you have.
4. Choose which virtual network to attach this private endpoint to. Here you can also choose to statically or dynamically assign the IP Address to it.
5. Choose which virtual network to associate a Private DNS Zone to. I have already created this beforehand, therefore that is the reason for the warning in this screenshot.
6. Finish creating the resource.
7. Next, you must set up your DNS server to conditionally forward DNS queries for the privatelink.blob.core.windows.net DNS zone to Azures DNS, 168.63.129.16. I did this using a bind9 Linux Ubuntu virtual machine, but you can use whatever you’d like such as Cisco Umbrella VAs, a domain controller, etc. Here is my configuration for my bind9 server.
This is the named.conf.local file in /etc/bind
And this is the named.conf.options file in /etc/bind
8. Now, we have to make sure any client that wants to access the storage account through the private endpoint to use this bind9 Linux DNS Server. Or make sure that the DNS server that the client is using knows to forward the DNS query’s for the privatelink.blob.core.windows.net zone to this bind9 server. Here, we will simply change the DNS server for vnet-ad-dev-westus2-001 to the IP Address of the bind9 ubuntu server. (vm-ubuntu-dev-westus2-002)
To do this, navigate to the Azure Virtual network that will be accessing the storage account through its private endpoint and go to its DNS Server configuration. Select the Custom option and type in the IP address of the DNS server.
9. Now I will log into a windows virtual machine that is in vnet-AD-dev-westus2-001 to test some DNS queries and verify it resolves to the private IP address. First, I will verify it is using the correct DNS server.
10. Now I will test the DNS query. Here you can see it works.
Setting up private access to PaaS resources in Azure significatly enhances your security posture by limiting exposure to the public Internet. One thing to note, this is not the only way to utilize Private Endpoints in Azure. You can also manually configure A records in your existing DNS servers for your PaaS resources.