Guide to Setting up Azure File Share and Connecting via Private Endpoint

Azure File Share is a managed file storage service in the cloud that provides the ability to mount file shares across your network or connect to them securely via private endpoints. Connecting through a private endpoint ensures that your data remains within your Virtual Network (VNet) without exposing it to the public internet.

This guide will walk you through the process of setting up Azure File Share and configuring a Private Endpoint connection.

Prerequisites

• Azure Subscription: You need an active Azure subscription.
• Azure Storage Account: You need a storage account to create an Azure file share.
• Virtual Network: A VNet where the Private Endpoint will be connected.
• Private DNS Zone: (Optional but recommended) for DNS resolution of the storage account via the private endpoint.

Step 1: Create an Azure Storage Account

1. Navigate to Azure Portal.
2. Search for Storage Accounts and click + Create.
3. Fill in the following details:
   • Subscription: Select the appropriate subscription.
   • Resource Group: Either select an existing resource group or create a new one.
   • Storage Account Name: Provide a unique name for the storage account.
   • Region: Select the region closest to your resources.
   • Performance: Select Standard or Premium based on your requirements.
   • Replication: Choose replication options (e.g., Locally-redundant storage (LRS)).

1. Click Review + Create, then Create.

Step 2: Create Azure File Share

1. After the storage account is created, go to Storage Accounts and select your newly created storage account.
2. In the storage account, under Data Storage, click File shares.

1. Click + File Share.

1. Enter the Name of the file share and specify Quota (optional).

1. Click Create.
2. Once Successfully created you can resize the File share by Clicking on “Edit Quota”.

Specify the new quote > then Ok.

Step 3: Create a Private Endpoint for the File Share

1. Navigate to your storage account.
2. On the left-hand panel, under Security + Networking, click on Networking.

1. Under the Private endpoint connections tab, click + Private endpoint.

1. Fill in the following details:
   • Subscription: Choose the subscription where your storage account resides.
   • Resource Group: Select the appropriate resource group.
   • Name: Give a name to your private endpoint.
   • Region: Select the same region as your storage account.

1. Under Resource, select Microsoft.Storage as the resource type, then choose File as the sub-resource.

1. Under Networking, choose the Virtual Network where the private endpoint will reside and select the appropriate Subnet.

1. Enable Private DNS Integration if you want Azure to handle the DNS resolution for your private endpoint. If not, you will have to manually configure DNS.

1. Click Review + Create, then Create.

Step 4: Configure Private DNS Zone (Optional)

If you chose not to enable automatic DNS integration, you can manually configure the DNS.

1. In the Azure Portal, search for Private DNS Zones and click + Create.
2. Create a DNS Zone with the name: privatelink.file.core.windows.net.
3. Link the DNS zone to your Virtual Network:
   • Navigate to your DNS zone.
   • Click Virtual Network Links and select + Add.
   • Select the appropriate VNet.
4. Create an A Record:
   • Add a new DNS record pointing to the private IP address of the Private Endpoint.
   • Name: <storage-account-name>.file.core.windows.net
   • Type: A
   • Value: The IP address from the private endpoint.

Step 5: Connect to Azure File Share via Private Endpoint

From Windows:

1. Install Azure File Sync Agent:
   • Ensure the Azure File Sync agent is installed on the client machine. Download from the following Link “https://www.microsoft.com/en-us/download/details.aspx?id=57159”
2. Map Azure File Share:
   • Open File Explorer on your Windows machine.
   • Right-click This PC and choose Map network drive.
   • In the Folder field, enter the following path:

\\<storage-account-name>.file.core.windows.net\<file-share-name>

• • Click Connect using different credentials and enter the storage account key when prompted.

1. Test the Connection:
   • After mapping the file share, verify that you can access it by browsing the network location. All traffic should route through the Private Endpoint.

Step 6: Monitoring and Verifying the Private Endpoint Connection

1. In the Storage Account, go to Private endpoint connections and ensure the connection status is Approved.
2. You can verify network traffic by checking the Network Security Group (NSG) logs, or by monitoring the traffic using Azure Monitor or Network Watcher.

Additional Considerations

• Network Security Groups: Ensure that your VNet’s NSG allows traffic to/from the private endpoint IP address.
• Data Encryption: Azure File Shares are encrypted at rest by default. Ensure that your traffic to the private endpoint is encrypted using SMB encryption.
• Private DNS Management: If you’re using your custom DNS server, ensure that the appropriate DNS zones are configured to resolve the private endpoint IP.

Conclusion

Setting up an Azure File Share with a Private Endpoint ensures secure and private access to your storage without exposing it to the public internet. By following this guide, you have created an Azure File Share, connected it via a Private Endpoint, and configured private DNS for secure communication within your Virtual Network.

Sharing is caring!