How do I set up Azure Blob storage with no public access and a private endpoint for a WebApp VNet?
In this guide, we will set up an Azure Blob Storage account with no public access and configure a private endpoint within a WebApp VNet using Pulumi. This setup ensures that the storage account is only accessible within the specified VNet, enhancing security by preventing public access.
Key Points:
- Azure Storage Account: A secure blob storage account with private access.
- Virtual Network (VNet): A network for isolating resources.
- Subnet: A segment within the VNet for the private endpoint.
- Private Endpoint: A private link to the storage account within the VNet.
- WebApp: An example web application within the VNet.
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
// Create a resource group
const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", {
location: "WestUS",
});
// Create a virtual network
const vnet = new azure.network.VirtualNetwork("vnet", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
addressSpace: { addressPrefixes: ["10.0.0.0/16"] },
});
// Create a subnet within the virtual network
const subnet = new azure.network.Subnet("subnet", {
resourceGroupName: resourceGroup.name,
virtualNetworkName: vnet.name,
addressPrefix: "10.0.1.0/24",
});
// Create a storage account with no public access
const storageAccount = new azure.storage.StorageAccount("storageAccount", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
sku: { name: "Standard_LRS" },
kind: "StorageV2",
networkRuleSet: {
defaultAction: "Deny",
bypass: "AzureServices",
},
});
// Create a private endpoint for the storage account
const privateEndpoint = new azure.network.PrivateEndpoint("privateEndpoint", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
subnet: { id: subnet.id },
privateLinkServiceConnections: [{
name: "storageConnection",
privateLinkServiceId: storageAccount.id,
groupIds: ["blob"],
}],
});
// Create a web app within the VNet
const appServicePlan = new azure.web.AppServicePlan("appServicePlan", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
sku: { name: "B1", tier: "Basic" },
});
const webApp = new azure.web.WebApp("webApp", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
serverFarmId: appServicePlan.id,
siteConfig: {
vnetRouteAllEnabled: true,
ipSecurityRestrictions: [{
ipAddress: "10.0.1.0/24",
action: "Allow",
priority: 100,
name: "AllowSubnet",
}],
},
});
// Export the resource group and storage account names
export const resourceGroupName = resourceGroup.name;
export const storageAccountName = storageAccount.name;
Summary:
We have successfully set up an Azure Blob Storage account with no public access and a private endpoint within a WebApp VNet using Pulumi. This configuration enhances the security of the storage account by limiting access to the specified VNet.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.