Approve Private Link connections across subscriptions
Azure Private Link enables you to connect privately to Azure resources. Private Link connections are scoped to a specific subscription. This article shows you how to approve a private endpoint connection across subscriptions.
Prerequisites
Two active Azure subscriptions:
- One subscription hosts the Azure resource and the other subscription contains the consumer private endpoint and virtual network.
An administrator account for each subscription or an account with permissions in each subscription to create and manage resources.
Resources used in this article:
Resource | Subscription | Resource group | Location |
---|---|---|---|
storage1 (This name is unique. Replace with the name you create.) | subscription-1 | test-rg | (Asia Pacific) China East 2 |
vnet-1 | subscription-2 | test-rg | (Asia Pacific) China East 2 |
private-endpoint | subscription-2 | test-rg | (Asia Pacific) China East 2 |
Sign in to subscription-1
Sign in to subscription-1 in the Azure portal.
Register the resource providers for subscription-1
For the private endpoint connection to complete successfully, the Microsoft.Storage
and Microsoft.Network
resource providers must be registered in subscription-1. Use the following steps to register the resource providers. If the Microsoft.Storage
and Microsoft.Network
resource providers are already registered, skip this step.
Important
If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.
In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results.
Select subscription-1.
In Settings, select Resource providers.
In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage.
Select Register.
Repeat the previous steps to register the
Microsoft.Network
resource provider.
Create a resource group
In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results.
Select + Create.
On the Basics tab of Create a resource group, enter or select the following information:
Setting Value Project details Subscription Select subscription-1. Resource group Enter test-rg. Region Select (Asia Pacific) China East 2. Select Review + Create.
Select Create.
Create a storage account
Create an Azure Storage account for the steps in this article. If you already have a storage account, you can use it instead.
In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
Select + Create.
On the Basics tab of Create a storage account, enter or select the following information:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select test-rg. Instance details Storage account name Enter storage1. If the name is unavailable, enter a unique name. Location Select (Asia Pacific) China North 3. Performance Leave the default Standard. Redundancy Select Locally-redundant storage (LRS). Select Review.
Select Create.
Obtain the storage account resource ID
You need the storage account resource ID to create the private endpoint connection in subscription-2. Use the following steps to obtain the storage account resource ID.
In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.
Select storage1 or the name of your existing storage account.
In Settings, select Endpoints.
Copy the entry in Storage account resource ID.
Sign in to subscription-2
Sign in to subscription-2 in the Azure portal.
Register the resource providers for subscription-2
For the private endpoint connection to complete successfully, the Microsoft.Storage
and Microsoft.Network
resource providers must be registered in subscription-2. Use the following steps to register the resource providers. If the Microsoft.Storage
and Microsoft.Network
resource providers are already registered, skip this step.
Important
If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.
In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results.
Select subscription-2.
In Settings, select Resource providers.
In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage.
Select Register.
Repeat the previous steps to register the
Microsoft.Network
resource provider.Create a virtual network
The following procedure creates a virtual network with a resource subnet.
In the portal, search for and select Virtual networks.
On the Virtual networks page, select + Create.
On the Basics tab of Create virtual network, enter or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select Create new.
Enter test-rg in Name.
Select OK.Instance details Name Enter vnet-1. Region Select (Asia Pacific) China East 2. Select Next: IP Addresses to proceed to the IP Addresses tab.
In the address space box in Subnets, select the default subnet.
In Edit subnet, enter or select the following information:
Setting Value Subnet name Enter subnet-1. Subnet address range Enter 10.0.0.0/24. Select Save.
Select Review + create at the bottom of the screen, and when validation passes, select Create.
Create private endpoint
In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.
Select + Create in Private endpoints.
On the Basics tab of Create a private endpoint, enter or select the following information:
Setting Value Project details Subscription Select subscription-2. Resource group Select test-rg. Instance details Name Enter private-endpoint. Network Interface Name Leave the default of private-endpoint-nic. Region Select (Asia Pacific) China East 2. Select Next: Resource.
Select Connect to an Azure resource by resource ID or alias.
In Resource ID or alias, paste the storage account resource ID that you copied earlier.
In Target sub-resource, enter blob.
Select Next: Virtual Network.
In Virtual Network, enter or select the following information:
Setting Value Networking Virtual network Select vnet-1 (test-rg). Subnet Select subnet-1. Select Next: DNS.
Select Next: Tags.
Select Review + Create.
Select Create.
Approve private endpoint connection
The private endpoint connection is in a Pending state until approved. Use the following steps to approve the private endpoint connection in subscription-1.
In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.
Select Pending connections.
Select the box next to your storage account in subscription-1.
Select Approve.
Select Yes in Approve connection.
Next steps
In this article, you learned how to approve a private endpoint connection across subscriptions. To learn more about Azure Private Link, continue to the following articles: