Open in app

Sign in

Write

Sign in

Azure Private Endpoint Across AAD Tenant

Cloud Journey
3 min readMar 12, 2021

Overview

Azure private endpoint secures your data and mitigate data exfiltration risk. In this article, we will focus on accessing a storage account from another AAD tenant privately.

The goal is to block the access to storage account from outsider or external client from networking perspective.

Lab

Create blob storage account private endpoint from tenant A

When create private endpoint for a storage account of tenant B, you select “Connect to an Azure resource by resourceID” method.

The rest of settings are similar to private endpoint for a resource of same tenant.

Approve Private Endpoint Connection

It requires explicit manual approval from tenant B, go to tenant B storage account networking blade and private endpoint tab.

Configure DNS Record for Private Endpoint

From tenant A, complete the private endpoint configuration by adding DNS configuration.

Set-AzContext xyz## Create DNS configuration ##$parameters3 = @{Name = 'privatelink.blob.core.windows.net'PrivateDnsZoneId = "/subscriptions/<subid>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"}$config = New-AzPrivateDnsZoneConfig @parameters3## Create DNS zone group. ##$parameters4 = @{ResourceGroupName = 'myrg'PrivateEndpointName = 'mype'Name = 'default'PrivateDnsZoneConfig = $config}New-AzPrivateDnsZoneGroup @parameters4

Block Access Through Storage Account Public Endpoint

Validate Access from Public Network

Now even with authentication in place (SAS, access key or RBAC), outside of the private network, it won’t be able to access the storage account data. You will be only able to access storage account inside the private network and with proper authentication.

When open storage account blob file URL outside of the private network, it failed.

<Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation. .....</Message></Error>

When open storage account blob file within private network, it works.

Conclusion

Azure PaaS service private endpoint supports Azure resource in same AAD tenant or in different tenant. With Azure PaaS service networking firewall settings, we can block all access from public endpoint.

In case you need open your Azure storage account for third party’s subscription to access, make sure secure your storage account with private endpoint and proper authentication.

For further hardening, consider to protect the private endpoint itself through network isolation, adopt AAD integrated authentication, have logging, monitoring and alert in place.

Multiple private endpoints can be created, support private access from multiple AAD tenant.

References

Configure Azure Storage firewalls and virtual networks | Microsoft Docs

Private Link Resource — Storage Account in Another Tenant · Issue #72045 · MicrosoftDocs/azure-docs (github.com)

Quickstart — Create an Azure Private Endpoint using Azure PowerShell | Microsoft Docs

Azure
Networking
Cloud Computing
Cloud Security
Storage

--

--

Cloud Journey

Written by Cloud Journey

141 Followers

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams