This sample demonstrates how to create a Linux Virtual Machine in a virtual network that privately accesses Azure File Share and an ADLS Gen 2 blob storage account using two Azure Private Endpoints. Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. The service could be an Azure service such as Azure Storage, Azure Cosmos DB, SQL, etc. or your own Private Link Service. For more information, see What is Azure Private Link?. For more information on the DNS configuration of a private endpoint, see Azure Private Endpoint DNS configuration.
The following picture shows the architecture and network topology of the sample.
The ARM template deploys the following resources:
The PrivateDnsZoneGroup resource type establishes a relationship between the Private Endpoint and the Private the privatelink.* DNS zone for the name resolution of the fully qualified name of the resource referenced by the Private Endpoint.
The two storage accounts are accessed via a different endpoint, hence their private endpoints need different Private DNS Zone:
Storage Service | Zone Name |
---|---|
Blob service | privatelink.blob.core.windows.net |
File service | privatelink.file.core.windows.net |
For more information, see Use private endpoints for Azure Storage.
The ARM template uses the Azure Custom Script Extension to download and run the following Bash script on the virtual machine. The script performs the following steps:
#!/bin/bash
# Variables
fileServicePrimaryEndpoint=$1
blobServicePrimaryEndpoint=$2
# Parameters validation
if [[ -z $fileServicePrimaryEndpoint ]]; then
echo "fileServicePrimaryEndpoint parameter cannot be null or empty"
exit 1
fi
if [[ -z $blobServicePrimaryEndpoint ]]; then
echo "blobServicePrimaryEndpoint parameter cannot be null or empty"
exit 1
fi
# Eliminate debconf warnings
echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
# Update the system
sudo apt-get update -y
# Upgrade packages
sudo apt-get upgrade -y
# Run nslookup to verify that public hostname of the Service Bus namespace
# is properly mapped to the private address of the provate endpoint
nslookup $fileServicePrimaryEndpoint
# Run nslookup to verify that public hostname of the Blob storage account
# is properly mapped to the private address of the provate endpoint
nslookup $blobServicePrimaryEndpoint
You can use the template.json ARM template and parameters.json file included in this repository to deploy the sample. Make sure to edit the parameters.json file to customize the installation. You can also use the deploy.sh Bash script under the scripts folder to deploy the ARM template. The following figure shows the resources deployed by the ARM template in the target resource group.
if you open an ssh session to the Linux virtual machine and manually run the nslookup command, you should see an output like the following: