In this story, we will learn how to enable Private Endpoint in Azure Storage Accounts with Terraform.
A private endpoint is a special network interface for an Azure service in our VNet (Virtual Network).
Creating a private endpoint for our Azure Storage Account provides secure connectivity between clients on our VNet and our storage.
The Private Endpoint uses a separate private IP address from the VNet address space for each storage account.
The network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
1. Creation of an Azure Storage Account with a Private Endpoint
The process to create the Azure Storage Account with Private Endpoint requires several steps in this specific order:
- Resource Group Creation
- VNET Creation
- Subnet Creation
- Associate existing Private DNS zone or create a Private DNS zone
- Associate existing Virtual Network Links or create Virtual Network Links
- Creation of a Storage Account
- Creation of Storage Account Private Endpoint
- Creation of DNS A Record
Note: If you have a hub-spoke design, you must have two set of credentials, one for your core subscription and one for your customer subscription as tasks 4, 5 and 8 requires creating resources on your core subscription.
Before writing our code, we will need an Azure SPN (Service Principal) to execute our Terraform code (check step 1 of this story if you need help creating an SPN).
3. Defining the Azure Provider
First, we will define Azure authentication variables.