Microsoft AzureOverview
Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. The private endpoint uses an IP address from the VNet for each service to do this. Network traffic between disparate services securely traverses and is encrypted over the VNet. This VNet can also link addressing space, extend your network, and access resources. Similarly, it can be a tunnel through public networks to connect remote infrastructures. This creates further security by segmenting network traffic and preventing outside sources from accessing it.
Rationale
Securing traffic between services through encryption protects the data from easy interception and reading.
Impact
A Private Endpoint costs approximately US$7.30 per month. If an Azure Virtual Network is not implemented correctly, critical network traffic may be lost.
Default Value
By default, Private Endpoints are not created for Storage Accounts.
Remediation guidance
From Azure Console
- Open the
Storage Accountsblade. - For each list Storage Account, perform the following:
- Under the
Security + networkingheading, clickNetworking. - Click on the
Private Endpoint Connectionstab at the top of the networking window. - Click the
+Private endpointbutton. - In the
1 - Basicstab/step:Enter a namethat will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.)- Ensure that the
Regionmatches the region of the Storage Account. - Click
Next.
- In the
2 - Resourcetab/step:- Select the
target sub-resourcebased on what type of storage resource is being made available. - Click
Next.
- Select the
- In the
3 - Virtual Networktab/step:- Select the
Virtual networkto which your Storage Account will be connected. - Select the
Subnetto which your Storage Account will be connected. - (Optional) Select other network settings that are appropriate for your environment.
- Click
Next.
- Select the
- In the
4 - DNStab/step:- (Optional) Select other DNS settings as appropriate for your environment
- Click
Next.
- In the
5 - Tagstab/step:- (Optional) Set any tags that are relevant to your organization.
- Click
Next.
- In the
6 - Review + createtab/step: A validation attempt will be made, and after a few moments, it should indicateValidation Passed. If it does not pass, double-check your settings before beginning more in-depth troubleshooting.- If validation has passed, click
Create, then wait for a few minutes for the scripted deployment to complete.
- If validation has passed, click
Repeat the above procedure for each Private Endpoint required within every Storage Account.
From PowerShell
$storageAccount = Get-AzStorageAccount -ResourceGroupName '
' -Name '<storageaccountname>'
$privateEndpointConnection = @{
Name = 'connectionName'
PrivateLinkServiceId = $storageAccount.Id
GroupID = "blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary"
}
$privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection
$virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '
' -Name '<name>'
$privateEndpoint = @{
ResourceGroupName = ''
Name = ''
Location = '<location>'
Subnet = $virtualNetDetails.Subnets[0]
PrivateLinkServiceConnection = $privateLinkServiceConnection
}
New-AzPrivateEndpoint @privateEndpoint
From Azure CLI
az network private-endpoint create --resource-group <resource_group_name> --location <location> --name <private_endpoint_name> --vnet-name --subnet <subnet_name> --private-connection-resource-id <storage_account_id> --connection-name <connection_name> --group-id <blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary>
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure Storage Accounts Without Private Endpoints
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
privateEndpoints_NONE: {
type: "Microsoft.Storage/storageAccounts/privateEndpointConnections"
}
}
) {
...AssetFragment
}
}
