SFTP Gateway Support

3.0

Creating a Private Endpoint

Overview

For users in a private network with no outbound internet access, having a private endpoint to your storage account is needed to be able to create a valid Azure Cloud Connection in SFTP Gateway.

This article goes over the procedure for creating a private endpoint to your storage account in the Azure portal.

Creating the Endpoint

In the Azure portal, search for and click into the Private endpoints resource. You should now be in the Private Link Center.

Click the +Create button to create a new private endpoint.

You will now be under the Basics tab.

Select the resource group you want your endpoint located, it can be the same resource group where your storage account is located.

You also want to give your endpoint a name, to keep things simple I chose dyspro-endpoint since my storage account's name is dyspro.

Basics

Under the Resource tab, you will configure what resource you're connecting to. In this case that would be your storage account.

You can leave the connection method as is.

Under the drop down for the Resource type, search for and select Microsoft.Storage/storageAccounts.

Next, select the storage account you're using for the Resource value.

Finally, under the Target sub-resource, select the blob value.

Basics

Next, you will need to configure the Virtual Network tab.

Choose the Virtual network and the Subnet that your virtual machine is deployed into. You may have to go back and change the region so that your vnet will show up under the dropdown menu.

You can leave the Private IP configuration as Dynamically allocate IP address.

Basics

Under the DNS tab, select No to Integrate with private DNS zone, unless you're using your own DNS server instead of Microsoft's. Then if you would like, create a tag for your private endpoint. Finally, under the Review + Create tab, create your private endpoint.

Note: When you create the private endpoint, the CNAME entry for your storage account in Microsoft's Dynamic DNS will change, pointing to the NIC private IP instead of the Blob Storage service's public endpoint. So, it could look something like this for example:

blob.mnz22prdstr02b.store.core.windows.net (52.239.221.4) ---> dyspro.privatelink.blob.core.windows.net (10.1.0.7)
PreviousNext