Skip to content
Build Cloud Skills
Blog

Secure Data Access with Private Link

In this lab, you will configure Azure Bastion for secure VM access (no public IPs) and a Private Endpoint for an Azure Storage Account. You will validate secure management and data paths, ensuring all traffic remains on Azure’s backbone network.

Pre-Provisioned Resources

The following resources are already deployed for you: preprovisioned lab resources

  • Virtual Network: LabVNet (10.10.0.0/16) with:
    • VMSubnet (10.10.1.0/24) – for VMs
  • Virtual Machines:
    • WinVM (Windows Server 2022, no public IP, in VMSubnet)
    • LinVM (Ubuntu 22.04, no public IP, in VMSubnet)
  • NSGs: Default rules attached to subnets
  • Storage Account: labstorage<unique> (no Private Endpoint, no public network access)

Your Tasks

Task 1: Create the Azure Bastion Subnet

  1. In the Azure Portal, navigate to LabVNet.
  2. Add a new subnet:
    • Name: AzureBastionSubnet (must be exactly this name)
    • Address range: 10.10.2.0/24

lab with bastion subnet

Task 2: Deploy Azure Bastion

  1. In the Azure Portal, create an Azure Bastion Host:
    • Resource Group: LabRG
    • Name: LabBastion
    • Region: Same as LabVNet
    • Virtual Network: LabVNet
    • Subnet: AzureBastionSubnet
  2. Wait for deployment to complete.

lab with Bastion

Task 3: Validate Bastion Access to VMs

  1. In the portal, go to WinVM > Connect > Bastion.
  2. Enter the provided credentials and connect via RDP.
  3. Repeat for LinVM (SSH).
  4. Confirm you can access both VMs only via Bastion (no public IPs).

Task 4: Create a Private Endpoint for the Storage Account

  1. In the portal, go to the labstorage<unique> Storage Account.
  2. Under Networking, confirm Public network access is disabled.
  3. Go to Private endpoint connections > + Private endpoint.
    • Name: LabStorage-PE
    • Region: Same as Storage Account
    • Resource: This storage account
    • Target sub-resource: blob
    • Virtual Network: LabVNet
    • Subnet: VMSubnet
  4. Complete the wizard to create the Private Endpoint.

lab with private link

  1. In the portal, search for Private DNS zones > + Create.
    • Name: privatelink.blob.core.windows.net
    • Resource Group: LabRG
  2. Open the DNS zone and go to Virtual network links > + Add.
    • Link to LabVNet
    • Enable auto-registration: No
  3. In the DNS zone, verify an A record for the Storage Account was created (if not, add it manually):
    • Name: <storageaccount>
    • IP: Private IP of the Private Endpoint (see Private Endpoint overview)

lab with dns config

Task 6: Validate Private Connectivity from VMs

  1. Connect to LinVM using Bastion (SSH).
  2. Run:
Terminal window
    nslookup <storageaccount>.blob.core.windows.net
  • Confirm it resolves to the Private Endpoint IP.
  1. Use Azure CLI or Storage Explorer to upload/download a blob:
Terminal window
az storage blob list --account-name <storageaccount> --container-name <container> --auth-mode login
  • Confirm access is successful.
  1. Repeat DNS and blob access test from WinVM (using PowerShell or Storage Explorer).

Success Criteria

  • Both VMs are accessible only via Azure Bastion (no public IPs).
  • Storage Account is accessible only via Private Endpoint from within the VNet.
  • DNS for the Storage Account resolves to the Private Endpoint IP from both VMs.
  • Blob operations succeed from both VMs.

Optional Challenge

  • Add a second Private Endpoint for the file service.
  • Test Storage Account access from a VM in a different subnet (should fail).