Configure network endpoints for accessing Azure file shares

Azure Files provides two main types of endpoints for accessing Azure file shares:

  • Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
  • Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

Public and private endpoints exist on the Azure storage account. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues.

This article focuses on how to configure a storage account's endpoints for accessing the Azure file share directly. Much of this article also applies to how Azure File Sync interoperates with public and private endpoints for the storage account. For more information about networking considerations for Azure File Sync, see configuring Azure File Sync proxy and firewall settings.

We recommend reading Azure Files networking considerations before reading this guide.

Applies to

File share type SMB NFS
Standard file shares (GPv2), LRS/ZRS Yes No
Standard file shares (GPv2), GRS/GZRS Yes No
Premium file shares (FileStorage), LRS/ZRS Yes Yes

Prerequisites

  • This article assumes that you already created an Azure subscription. If you don't already have a subscription, then create a trial account before you begin.
  • This article assumes that you already created an Azure file share in a storage account that you want to connect to from on-premises. To learn how to create an Azure file share, see Create an Azure file share.
  • If you intend to use Azure PowerShell, install the latest version.
  • If you intend to use the Azure CLI, install the latest version.

Endpoint configurations

You can configure your endpoints to restrict network access to your storage account. There are two approaches to restricting access to a storage account to a virtual network:

Create a private endpoint

When you create a private endpoint for your storage account, the following Azure resources are deployed:

  • A private endpoint: An Azure resource representing the storage account's private endpoint. You can think of this as a resource that connects a storage account and a network interface.
  • A network interface (NIC): The network interface that maintains a private IP address within the specified virtual network/subnet. This is the exact same resource that gets deployed when you deploy a virtual machine (VM), however instead of being assigned to a VM, it's owned by the private endpoint.
  • A private Domain Name System (DNS) zone: If you haven't deployed a private endpoint for this virtual network before, a new private DNS zone will be deployed for your virtual network. A DNS A record will also be created for the storage account in this DNS zone. If you've already deployed a private endpoint in this virtual network, a new A record for the storage account will be added to the existing DNS zone. Deploying a DNS zone is optional. However, it's highly recommended, and required if you're mounting your Azure file shares with an AD service principal or using the FileREST API.

Navigate to the storage account for which you would like to create a private endpoint. In the table of contents for the storage account, select Networking, Private endpoint connections, and then + Private endpoint to create a new private endpoint.

Screenshot of the private endpoint connections item in the storage account table of contents.

The resulting wizard has multiple pages to complete.

In the Basics blade, select the desired subscription, resource group, name, and region for your private endpoint. These can be whatever you want, they don't have to match the storage account in any way, although you must create the private endpoint in the same region as the virtual network you wish to create the private endpoint in. Then select Next: Resource.

Screenshot showing how to provide the project and instance details for a new private endpoint.

In the Resource blade, select file for the target sub-resource. Then select Next: Virtual Network.

Screenshot showing how to select which resource you would like to connect to using the new private endpoint.

The Virtual Network blade allows you to select the specific virtual network and subnet you would like to add your private endpoint to. Select dynamic or static IP address allocation for the new private endpoint. If you select static, you'll also need to provide a name and a private IP address. The DNS section contains the information for integrating your private endpoint with a private DNS zone. Make sure the subscription and resource group are correct, then select Next: Tags.

Screenshot showing how to provide virtual network, subnet, and IP address details for the new private endpoint.

You can optionally apply tags to categorize your resources, such as applying the name Environment and the value Test to all testing resources. Enter name/value pairs if desired, and then select Next: Review + create.

Screenshot showing how to optionally tag your private endpoint with name/value pairs for easy categorization.

Click Review + create to create the private endpoint.

Verify connectivity

If you have a VM inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint is set up correctly. Run the following commands from PowerShell, the command line, or the terminal (works for Windows, Linux, or macOS). You must replace <storage-account-name> with the appropriate storage account name:

nslookup <storage-account-name>.file.core.chinacloudapi.cn

If successful, you should see the following output, where 192.168.0.5 is the private IP address of the private endpoint in your virtual network (output shown for Windows):

Server:  UnKnown
Address:  10.2.4.4

Non-authoritative answer:
Name:    storageaccount.privatelink.file.core.chinacloudapi.cn
Address:  192.168.0.5
Aliases:  storageaccount.file.core.chinacloudapi.cn

Restrict public endpoint access

Limiting public endpoint access first requires you to disable general access to the public endpoint. Disabling access to the public endpoint does not impact private endpoints. After the public endpoint is disabled, you can select specific networks or IP addresses that may continue to access it. In general, most firewall policies for a storage account restrict networking access to one or more virtual networks.

Disable access to the public endpoint

When access to the public endpoint is disabled, the storage account can still be accessed through its private endpoints. Otherwise valid requests to the storage account's public endpoint will be rejected, unless they are from a specifically allowed source.

Navigate to the storage account for which you would like to restrict all access to the public endpoint. In the table of contents for the storage account, select Networking.

At the top of the page, select the Enabled from selected virtual networks and IP addresses radio button. This will un-hide a number of settings for controlling the restriction of the public endpoint. Select Allow Azure services on the trusted services list to access this storage account to allow trusted first party Microsoft services such as Azure File Sync to access the storage account.

Screenshot of the Networking blade with the required settings to disable access to the storage account public endpoint.

Restrict access to the public endpoint to specific virtual networks

When you restrict the storage account to specific virtual networks, you're allowing requests to the public endpoint from within the specified virtual networks. This works by using a capability of the virtual network called service endpoints. This can be used with or without private endpoints.

Navigate to the storage account for which you would like to restrict the public endpoint to specific virtual networks. In the table of contents for the storage account, select Networking.

At the top of the page, select the Enabled from selected virtual networks and IP addresses radio button. This will un-hide a number of settings for controlling the restriction of the public endpoint. Select +Add existing virtual network to select the specific virtual network that should be allowed to access the storage account via the public endpoint. Select a virtual network and a subnet for that virtual network, and then select Enable.

Select Allow Azure services on the trusted services list to access this storage account to allow trusted first party Microsoft services such as Azure File Sync to access the storage account.

Screenshot of the Networking blade with a specific virtual network allowed to access the storage account via the public endpoint.

See also