Azure Private Endpoint Across AAD Tenant
Overview
Azure private endpoint secures your data and mitigate data exfiltration risk. In this article, we will focus on accessing a storage account from another AAD tenant privately.
The goal is to block the access to storage account from outsider or external client from networking perspective.
Lab
Create blob storage account private endpoint from tenant A
When create private endpoint for a storage account of tenant B, you select “Connect to an Azure resource by resourceID” method.
The rest of settings are similar to private endpoint for a resource of same tenant.
Approve Private Endpoint Connection
It requires explicit manual approval from tenant B, go to tenant B storage account networking blade and private endpoint tab.
Configure DNS Record for Private Endpoint
From tenant A, complete the private endpoint configuration by adding DNS configuration.
Set-AzContext xyz## Create DNS configuration ##$parameters3 = @{Name = 'privatelink.blob.core.windows.net'PrivateDnsZoneId = "/subscriptions/<subid>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"}$config = New-AzPrivateDnsZoneConfig @parameters3## Create DNS zone group. ##$parameters4 = @{ResourceGroupName = 'myrg'PrivateEndpointName = 'mype'Name = 'default'PrivateDnsZoneConfig = $config}New-AzPrivateDnsZoneGroup @parameters4
Block Access Through Storage Account Public Endpoint
Validate Access from Public Network
Now even with authentication in place (SAS, access key or RBAC), outside of the private network, it won’t be able to access the storage account data. You will be only able to access storage account inside the private network and with proper authentication.
When open storage account blob file URL outside of the private network, it failed.
<Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation. .....</Message></Error>
When open storage account blob file within private network, it works.
Conclusion
Azure PaaS service private endpoint supports Azure resource in same AAD tenant or in different tenant. With Azure PaaS service networking firewall settings, we can block all access from public endpoint.
In case you need open your Azure storage account for third party’s subscription to access, make sure secure your storage account with private endpoint and proper authentication.
For further hardening, consider to protect the private endpoint itself through network isolation, adopt AAD integrated authentication, have logging, monitoring and alert in place.
Multiple private endpoints can be created, support private access from multiple AAD tenant.
References
Configure Azure Storage firewalls and virtual networks | Microsoft Docs
Quickstart — Create an Azure Private Endpoint using Azure PowerShell | Microsoft Docs