Edit

Configure network endpoints for accessing Azure file shares

✔️ Applies to: Classic file shares created with the Microsoft.Storage resource provider

✔️ Applies to: File shares created with the Microsoft.FileShares resource provider

Azure Files provides two main types of endpoints for accessing Azure file shares:

  • Public endpoints, which have a public IP address and you can access from anywhere in the world.
  • Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

For classic file shares (created with the Microsoft.Storage resource provider), the Azure storage account has public and private endpoints. For file shares created with the Microsoft.FileShares resource provider, you create public and private endpoints at the file share level rather than the storage account level.

This article focuses on how to configure a private endpoint for accessing the Azure file share directly. Much of this article also applies to how Azure File Sync interoperates with public and private endpoints for the storage account. For more information about networking considerations for Azure File Sync, see configure Azure File Sync proxy and firewall settings.

Before reading this guide, review Azure Files networking considerations.

Prerequisites

Create and configure endpoints

You can configure your endpoints to restrict network access to your storage account and file shares. To restrict access to a virtual network, use one of the following approaches:

  • Create one or more private endpoints and restrict all access to the public endpoint (recommended). This approach ensures that only traffic originating from within the desired virtual networks can access the Azure file shares. See Private Link cost.
  • Restrict the public endpoint to one or more virtual networks. This approach uses a capability of the virtual network called service endpoints. When you restrict the traffic to a storage account through a service endpoint, you're accessing the storage account or file share through the public IP address, but access is only possible from the locations you specify in your configuration.

Create a private endpoint

When you create a private endpoint for your file shares, you deploy the following Azure resources:

  • A private endpoint: An Azure resource that represents the private endpoint. You can think of this resource as a connector between a target resource and a network interface.
  • A network interface (NIC): The network interface that maintains a private IP address within the specified virtual network and subnet. This resource is the same as the one you deploy when you deploy a virtual machine (VM). However, instead of assigning it to a VM, the private endpoint owns it.
  • A private Domain Name System (DNS) zone: If you didn't previously deploy a private endpoint for this virtual network, a new private DNS zone is deployed for your virtual network. A DNS record is also created in this DNS zone. If you already deployed a private endpoint in this virtual network, a new record is added to the existing DNS zone. Deploying a DNS zone is optional. However, it's highly recommended, and required if you're mounting your Azure file shares with an AD service principal or using the FileREST API.

Note

This article uses the DNS suffix for the Azure public regions, core.windows.net. This commentary also applies to Azure Sovereign clouds such as the Azure US Government cloud and the Azure operated by 21Vianet cloud. Just substitute the appropriate suffixes for your environment.

Classic vs. new file share experience

The private endpoint creation process differs slightly depending on whether you're using classic file shares or the new file share model. For classic file shares, you create a private endpoint for the storage account that contains the file shares. For file shares created with Microsoft.FileShares, you create a private endpoint for the file share itself.

Many of the steps are identical for both experiences. Only the resource reference, group ID, and DNS record name differ, as shown in the following table.

Classic file shares (Microsoft.Storage) New file shares (Microsoft.FileShares)
Private endpoint target Storage account File share
Resource cmdlet Get-AzStorageAccount Get-AzFileShare
Group ID (sub-resource) file FileShare
DNS A record name Storage account name Host name prefix (for example, fs-xxxxxxxxxxxxxxxxx)

Go to the resource group where you want to create a private endpoint. Select + Create and search for Private Endpoint. Select the private endpoint resource, and then select Create.

The wizard has multiple pages to complete.

In the Basics page, select the subscription, resource group, name, network interface name, and region for your private endpoint. You must create the private endpoint in the same region as the virtual network you want to create the private endpoint in. Then select Next: Resource.

Screenshot showing how to provide the project and instance details for a new private endpoint.

If you're using classic file shares in a storage account:

On the Resource page, select Microsoft.Storage/storageAccounts from the drop-down menu for Resource type. For Resource, select the specific storage account you want to connect to. For Target sub-resource, select file. Then select Next: Virtual Network.

Screenshot showing how to select the resource type, resource, and target sub-resource for the new private endpoint.

If you're using file shares created with the Microsoft.FileShares resource provider:

On the Resource page, select Microsoft.FileShares/fileShares from the drop-down menu for Resource type. For Resource, select the specific file share you want to connect to. The target sub-resource auto-populates with FileShare. Then select Next: Virtual Network.

The Virtual Network page allows you to select the specific virtual network and subnet you want to add your private endpoint to. Select dynamic or static IP address allocation for the new private endpoint. If you select static, you also need to provide a name and a private IP address. You can also optionally specify an application security group. When you're finished, select Next: DNS.

Screenshot showing how to provide virtual network, subnet, and IP address details for the new private endpoint.

The DNS page contains the information for integrating your private endpoint with a private DNS zone. Make sure the subscription and resource group are correct, and then select Next: Tags.

Screenshot showing how to integrate your private endpoint with a private DNS zone.

You can optionally apply tags to categorize your resources, such as applying the name Environment and the value Test to all testing resources. Enter name/value pairs if desired, and then select Next: Review + create.

Screenshot showing how to optionally tag your private endpoint with name/value pairs for easy categorization.

Select Create to create the private endpoint.

Verify connectivity

If you have a VM inside your virtual network, or you configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint is set up correctly. Run the following commands from PowerShell, the command line, or the terminal (works for Windows, Linux, or macOS).

For classic file shares, replace <storage-account-name> with the appropriate storage account name:

nslookup <storage-account-name>.file.core.windows.net

For file shares created with the Microsoft.FileShares resource provider, use the file share's host name. In the overview tab of the file share, select JSON view from the upper right. In the JSON view, under properties, copy the value for hostName. The format looks like fs-xxxxxxxxxxxxxxxxx.xx.file.storage.azure.net.

nslookup <file-share-host-name>

If successful, you see output similar to the following, where 192.168.0.5 is the private IP address of the private endpoint in your virtual network (output shown for Windows).

For classic file shares:

Server:  UnKnown
Address:  10.2.4.4

Non-authoritative answer:
Name:    storageaccount.privatelink.file.core.windows.net
Address:  192.168.0.5
Aliases:  storageaccount.file.core.windows.net

For file shares created with the Microsoft.FileShares resource provider:

Server:  UnKnown
Address:  10.2.4.4

Non-authoritative answer:
Name:    <hostNamePrefix>.privatelink.file.core.windows.net
Address:  192.168.0.5
Aliases:  <hostNamePrefix>.<zone>.file.storage.azure.net

Restrict public endpoint access

To limit public endpoint access, first disable general access to the public endpoint. Disabling access to the public endpoint doesn't affect private endpoints. After you disable the public endpoint, select specific networks or IP addresses that can continue to access it. In general, most firewall policies for a storage account restrict networking access to one or more virtual networks.

You can also use a network security perimeter to centrally manage inbound and outbound access rules.

Disable access to the public endpoint

When you disable public network access, you restrict inbound access while allowing outbound access. You can still access the storage account through its private endpoints. Otherwise, requests to the storage account's public endpoint are rejected, unless they're from a specifically allowed source.

To disable public network access for classic file shares, follow these steps:

  1. Go to the storage account where you want to restrict all inbound access to the public endpoint.
  2. From the service menu, under Security + networking, select Networking.
  3. Under Public network access, select Manage.
  4. Select Disable, and then select Proceed.
  5. Select Save.

Screenshot showing how to disable public network access for a storage account.

For file shares created with the Microsoft.FileShares resource provider:

Go to the file share where you want to disable public access. In the service menu, under Settings, select Configuration. Set Public network access to Disabled, and then select Save.

Restrict access to the public endpoint to specific networks

When you restrict access to the public endpoint to specific networks, you allow requests to the public endpoint from within specified virtual networks or IP addresses. This restriction works by using a capability called service endpoints. You can use service endpoints with or without private endpoints.

For classic file shares, follow these steps to restrict the public endpoint to specific networks.

  1. Go to the storage account where you want to restrict the public endpoint to specific networks.
  2. From the service menu, under Security + networking, select Networking.
  3. Under Public network access scope, select Enable from selected networks. This selection reveals a number of settings for controlling the restriction of the public endpoint.
  4. Under Virtual networks, select Add a virtual network > Add existing virtual network to select the virtual network that should be allowed to access the storage account through the public endpoint. Select a virtual network and a subnet for that virtual network, and then select Enable. If you want to create a new virtual network for this purpose, select Add a virtual network > Add new virtual network, provide the details, and then select Create.
  5. Under IPv4 Addresses, specify any public internet IP addresses that you want to be able to access the storage account.
  6. Select the Allow trusted Microsoft services to access this resource checkbox to allow trusted first-party Microsoft services such as Azure File Sync to access the storage account.
  7. Select Save.

Screenshot showing how to restrict the public endpoint to specific networks.

For file shares created with the Microsoft.FileShares resource provider:

Go to the file share where you want to restrict public access. From the service menu, under Settings, select Configuration. Under Public network access, select Enabled from selected virtual networks, add the virtual networks and subnets allowed to access the share, and select Save.

See also