See also - A Reusable Hub spoke design on azure. A Reusable Hub Spoke design on GCP.

Step 1 - Set up a private endpoint for azure storage blob service

  1. Navigate to Private Link Center and select "Create private endpoint."
  2. Enter the subscription, resource group, and a name and region for the private endpoint.
  3. Select "Connect to an Azure resource in my directory," then select the subscription and "Microsoft.Storage/storageAccounts" as the resource type.
  4. Select the name of the target resource, and then specify the target sub-resource. For storage, this can be blobblob_secondarytabletable_secondarydfs, and dfs_secondary.
  5. Select the VNet and subnet the endpoint should be deployed to.
Step 2 - You still have an exposed public endpoint. Block all traffic to the storage account's public endpoint.
On the storage account service, select "Firewalls and virtual networks" in the sidebar. Under "Allow access from," select "Selected networks." Then save your changes. Since there aren't any whitelisted networks, no network is allowed to access the storage account (via the public endpoint)
Summary
Blocking off public access to a storage account is a two step process. It provides for greater security and simplified routing.





Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.