I’ve previously detailed how to create an Azure SMB File Share:
Creating an Azure SMB file share
as a way to create a ‘cloud USB’ drive that you can map to just about any desktop quickly and easily. All of this is accomplished securely but many remain hesitant to do this across the Internet directly. Luckily, there is now an option to map this SMB share to an IP address inside an Azure VNet to restrict access if desired.
Before you set this up you will need to have an existing Azure Vnet created as well as a paid Azure subscription. You can add a Private Endpoint to an existing Azure storage account or create one at the same time you create a new Azure Storage account. In this case, I’m going to an existing account.
In the Azure portal search for “private link”, which should then take you to the Private Link Center as shown above. Select the Add button on the right.
You’ll need to select a Resource Group as well as a Name as shown above.
You’ll then to select the Azure Storage account and the file option to connect to an existing SMB file share as shown above.
Next, you’ll need to connect to an existing Vnet and if you want to access the resource privately by a name, then you’ll need to integrate it with a private DNS zone, which will also be set up for you as part of this process.
You can then add tags. Note – when I created mine, if I assigned tags here I couldn’t create the Private Endpoint, which appears to be a bug. So, if for some reason you find the same issue, create the Private Endpoint without tags and then add them later.
With all that done, select the Create button to finish the configuration on the Review + Create page.
When the set up process is complete you’ll now see your endpoint as shown above with an allocated IP address on the Vnet you selected.
If you then look at your Vnet, as shown above, you will see that the Storage Account is seen as a connected device.
If you now visit the Storage Account and select Firewalls and virtual networks as shown above, you can configure what networks can access this new Private Endpoint.
Leaving the option set to All networks means that you can still map to that SMB share directly across the Internet, which you may want.
However, in the above case, I have selected to restrict the access to the Vnet only.
Doing so means that the ONLY way I can now access that SMB Share is via the selected Vnet. I can’t get to it using the Azure portal on my remote desktop machine as shown above.
If I wanted to access this from a remote location, outside the Vnet across the Internet, I could add those details below. However, I have chosen not to do this.
My Azure SMB File share now has a dedicated IP address that is restricted to access via an Azure Vnet, how do I work with this share directly on premises? Easy. I set up an Azure Site to Site VPN to that same Vnet and now I can access that Azure SMB File share from my local machines by mapping to something like the IP address.
Thus, the only way that Azure SMB file share can be access is across a Site to Site VPN, making even more secure.
Private Endpoints support connection to a number of PaaS Azure services as shown above. This is handy as it allows you to connected you Azure IaaS services (like VMs) directly to Azure PaaS (like storage) quickly and easily as shown. What’s the benefit? Remember, IaaS is typically billed on time used, while PaaS is billed on resource consumption. Thus, why should I pay for a VM to store my data and pay the time it runs (typically 24/7), plus disk storage where I could use Azure Storage and most be billed just for the data capacity?
PaaS is the future and has many benefits over IaaS. You should be looking to shift as much of you infrastructure to PaaS to take advantage of things like reduce maintenance, cost savings, etc. Private Endpoints is an easy way to start doing just that. For more information on Azure Private Endpoint visit: