Private Endpoint NSG rule between independent virtual networks.

Question

Hello

I have 2 independent virtual networks in my environment,

with NSGs to control traffic flow.

NET A:

1. Workload Subnet(houses the Management and other VMs)
2. Private endpoint subnet (connects above vms to storage account)
3. Bastion subnet

NET B has all of the above also.

Data in NET A will be downloaded to the Management vm and copied to storage account in NET B.

In order to copy data from NET A to the storage account in NET B, I intend to

create a private endpoint between storage account in NET B and management VM in NET A.

Question:

1. How should I setup NSG to allow connection between both networks. If you can point me to a document that descirbes the above it would be helpful.

Answer 1

Hello , Welcome to MS Q&A

To enable network policies like User-Defined Routes (UDR) and Network Security Groups (NSG) for private endpoints, you need to enable network policy support for the subnet. This setting will apply to all private endpoints within the subnet. Here are the steps

1. Create or Select an NSG: If you don't have an NSG, create one in the Azure portal.
2. Define Inbound Security Rules: Add inbound rules to allow traffic from the source IP ranges of the virtual networks or specific subnets that need to connect to the private endpoint. You can specify the protocol (TCP/UDP), port range, and priority for these rules.
3. Define Outbound Security Rules: Similarly, create outbound rules if necessary, to allow traffic from the private endpoint to the destination networks.
4. Associate NSG with Subnets or Network Interfaces: Associate the NSG with the subnet where the private endpoint resides or directly with the network interface of the resource that needs access.

By following these steps, you can ensure that network policies are applied to private endpoints within the subnet, allowing you to control traffic using NSG rules.

For more detailed information, you can refer to the following documentation:

References:

• Use private endpoints for Azure Storage
• Connect to a storage account using an Azure private endpoint
• Conceptual overview of private endpoints for Azure Storage

Please let us know if any questions

Kindly accept answer if it helps

Thanks

Deepanshu

Answer 2

@Jessie ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I did not understand your requirement here.

Wrt,

In order to copy data from NET A to the "storage account in NET B"

• Can you elaborate what do you mean by "storage account in NET B"
• Do you mean to say there is a Storage account and it has a private endpoint in NET B?

In this case,

• Make sure NET A and NET B are peered
  • See : Azure Virtual network peering
• Once NET A and NET B are peered, the default NSG should allow communications between VMs in NETA and VMs in NETB
  • So you can directly copy contents from VMs in NETA and VMs in NETB
• In NETB, please create a private endpoint for the target storage account
  • Again, once this is done - the default NSG would allow communication to this private endpoint without any additional configurations.
  • So you can copy contents from VMs in NETB to the private endPoint

If the storage account does not have a private endpoint in NET B,

• Then you can directly create a private endpoint for the storage account in NETA
• And directly copy data from NET A to the storage account (using Private Endpoint in NETA itself)
• This indicates that NETB was never needed.

Please let me know if my understanding is incorrect.

Cheers,

Kapil