Skip to main content

Remediation

From Azure Portal

  1. Open the Storage Accounts blade.
  2. For each listed Storage Account, perform the following:
  3. Under the Security + networking heading, click on Networking.
  4. Click on the Private Endpoint Connections tab at the top of the networking window.
  5. Click the + Private endpoint button.
  6. In the 1 - Basics tab/step:
    • Enter a name that will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.).
    • Ensure that the Region matches the region of the Storage Account.
    • Click Next.
  7. In the 2 - Resource tab/step:
    • Select the target sub-resource based on what type of storage resource is being made available.
    • Click Next.
  8. In the 3 - Virtual Network tab/step:
    • Select the Virtual network that your Storage Account will be connecting to.
    • Select the Subnet that your Storage Account will be connecting to.
    • (Optional) Select other network settings as appropriate for your environment.
    • Click Next.
  9. In the 4 - DNS tab/step:
    • (Optional) Select other DNS settings as appropriate for your environment.
    • Click Next.
  10. In the 5 - Tags tab/step:
    • (Optional) Set any tags that are relevant to your organization.
    • Click Next.
  11. In the 6 - Review + create tab/step:
    • A validation attempt will be made and after a few moments it should indicate Validation Passed - if it does not pass, double-check your settings before beginning more in depth troubleshooting.
    • If validation has passed, click Create then wait for a few minutes for the scripted deployment to complete.

Repeat the above procedure for each Private Endpoint required within every Storage Account.

From PowerShell

$storageAccount = Get-AzStorageAccount `
    -ResourceGroupName "{{resource-group-name}}" `
    -Name "{{storage-account-name}}"

$privateEndpointConnection = @{
    Name = "{{connection-name}}"
    PrivateLinkServiceId = $storageAccount.Id
    GroupID = "blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary"
}

$privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection
$virtualNetDetails = Get-AzVirtualNetwork `
    -ResourceGroupName "{{vnet-resource-group-name}}" `
    -Name "{{vnet-name}}"

$privateEndpoint = @{
    ResourceGroupName = "{{resource-group-name}}"
    Name = "{{private-endpoint-name}}"
    Location = "{{location}}"
    Subnet = $virtualNetDetails.Subnets[0]
    PrivateLinkServiceConnection = $privateLinkServiceConnection
}

New-AzPrivateEndpoint @privateEndpoint

From Azure CLI

az network private-endpoint create \
    --resource-group {{resource-group-name}} \
    --location {{location}} \
    --name {{private-endpoint-name}} \
    --vnet-name {{vnet-name}} \
    --subnet {{subnet-name}} \
    --private-connection-resource-id {{storage-account-id}} \
    --connection-name {{private-link-service-connection-name}} \
    --group-id {{blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary}}