Using Private Endpoint in Azure Storage Account with Terraform

Guillermo Musumeci
6 min readAug 31, 2022


In this story, we will learn how to enable Private Endpoint in Azure Storage Accounts with Terraform.

A private endpoint is a special network interface for an Azure service in our VNet (Virtual Network).

Creating a private endpoint for our Azure Storage Account provides secure connectivity between clients on our VNet and our storage.

The Private Endpoint uses a separate private IP address from the VNet address space for each storage account.

The network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.


1. Creation of an Azure Storage Account with a Private Endpoint

The process to create the Azure Storage Account with Private Endpoint requires several steps in this specific order:

  1. Resource Group Creation
  2. VNET Creation
  3. Subnet Creation
  4. Associate existing Private DNS zone or create a Private DNS zone
  5. Associate existing Virtual Network Links or create Virtual Network Links
  6. Creation of a Storage Account
  7. Creation of Storage Account Private Endpoint
  8. Creation of DNS A Record

Note: If you have a hub-spoke design, you must have two set of credentials, one for your core subscription and one for your customer subscription as tasks 4, 5 and 8 requires creating resources on your core subscription.

2. Prerequisites

Before writing our code, we will need an Azure SPN (Service Principal) to execute our Terraform code (check step 1 of this story if you need help creating an SPN).

3. Defining the Azure Provider

First, we will define Azure authentication variables.



Guillermo Musumeci

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | ex-AWS | Entrepreneur | Book Author | Husband & Dad of ✌