Azure CLI - Restrict import/export access for managed disks with Private Links
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets
You can use private endpoints to restrict the export and import of managed disks and securely access data over a Private Link from clients on your Azure virtual network. The private endpoint uses an IP address from the virtual network address space for your managed disks service. Network traffic between clients on their virtual network and managed disks only traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
To use Private Links to export/import managed disks, first you create a disk access resource and link it to a virtual network in the same subscription by creating a private endpoint. Then, associate a disk or a snapshot with an instance of disk access. Finally, set the NetworkAccessPolicy property of the disk or the snapshot to AllowPrivate
. This will limit access to your virtual network.
You can set the NetworkAccessPolicy property to DenyAll
to prevent anybody from exporting data of a disk or a snapshot. The default value for the NetworkAccessPolicy property is AllowAll
.
Limitations
- You can't import or export more than five disks or snapshots at the same time with the same disk access object.
- You can't upload to a disk with both a disk access object and a disk encryption set.
Log in into your subscription and set your variables
subscriptionId=yourSubscriptionId
resourceGroupName=yourResourceGroupName
region=northcentralus
diskAccessName=yourDiskAccessForPrivateLinks
vnetName=yourVNETForPrivateLinks
subnetName=yourSubnetForPrivateLinks
privateEndPointName=yourPrivateLinkForSecureMDExportImport
privateEndPointConnectionName=yourPrivateLinkConnection
#The name of an existing disk which is the source of the snapshot
sourceDiskName=yourSourceDiskForSnapshot
#The name of the new snapshot which will be secured via Private Links
snapshotNameSecuredWithPL=yourSnapshotNameSecuredWithPL
az login
az account set --subscription $subscriptionId
Create a disk access using Azure CLI
az disk-access create -n $diskAccessName -g $resourceGroupName -l $region
diskAccessId=$(az disk-access show -n $diskAccessName -g $resourceGroupName --query [id] -o tsv)
Create a Virtual Network
Network policies like network security groups (NSG) are not supported for private endpoints. In order to deploy a Private Endpoint on a given subnet, an explicit disable setting is required on that subnet.
az network vnet create --resource-group $resourceGroupName \
--name $vnetName \
--subnet-name $subnetName
Disable subnet private endpoint policies
Azure deploys resources to a subnet within a virtual network, so you need to update the subnet to disable private endpoint network policies.
az network vnet subnet update --resource-group $resourceGroupName \
--name $subnetName \
--vnet-name $vnetName \
--disable-private-endpoint-network-policies true
Create a private endpoint for the disk access object
az network private-endpoint create --resource-group $resourceGroupName \
--name $privateEndPointName \
--vnet-name $vnetName \
--subnet $subnetName \
--private-connection-resource-id $diskAccessId \
--group-ids disks \
--connection-name $privateEndPointConnectionName
Configure the Private DNS Zone
Create a Private DNS Zone for Storage blob domain, create an association link with the Virtual Network and create a DNS Zone Group to associate the private endpoint with the Private DNS Zone.
az network private-dns zone create --resource-group $resourceGroupName \
--name "privatelink.blob.core.windows.net"
az network private-dns link vnet create --resource-group $resourceGroupName \
--zone-name "privatelink.blob.core.windows.net" \
--name yourDNSLink \
--virtual-network $vnetName \
--registration-enabled false
az network private-endpoint dns-zone-group create \
--resource-group $resourceGroupName \
--endpoint-name $privateEndPointName \
--name yourZoneGroup \
--private-dns-zone "privatelink.blob.core.windows.net" \
--zone-name disks
Create a disk protected with Private Links
resourceGroupName=yourResourceGroupName
region=northcentralus
diskAccessName=yourDiskAccessName
diskName=yourDiskName
diskSkuName=Standard_LRS
diskSizeGB=128
diskAccessId=$(az resource show -n $diskAccessName -g $resourceGroupName --namespace Microsoft.Compute --resource-type diskAccesses --query [id] -o tsv)
az disk create -n $diskName \
-g $resourceGroupName \
-l $region \
--size-gb $diskSizeGB \
--sku $diskSkuName \
--network-access-policy AllowPrivate \
--disk-access $diskAccessId
Create a snapshot of a disk protected with Private Links
resourceGroupName=yourResourceGroupName
region=northcentralus
diskAccessName=yourDiskAccessName
sourceDiskName=yourSourceDiskForSnapshot
snapshotNameSecuredWithPL=yourSnapshotName
diskId=$(az disk show -n $sourceDiskName -g $resourceGroupName --query [id] -o tsv)
diskAccessId=$(az resource show -n $diskAccessName -g $resourceGroupName --namespace Microsoft.Compute --resource-type diskAccesses --query [id] -o tsv)
az snapshot create -n $snapshotNameSecuredWithPL \
-g $resourceGroupName \
-l $region \
--source $diskId \
--network-access-policy AllowPrivate \
--disk-access $diskAccessId
Next steps
- Upload a VHD to Azure or copy a managed disk to another region - Azure CLI or Azure PowerShell module
- Download a VHD - Windows or Linux
- FAQ on Private Links
- Export/Copy managed snapshots as VHD to a storage account in different region with CLI
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for