Edit

Share via

Approve Private Link connections across subscriptions

  • Article

Azure Private Link enables you to connect privately to Azure resources. Private Link connections are scoped to a specific subscription. This article shows you how to approve a private endpoint connection across subscriptions.

Prerequisites

  • Two active Azure subscriptions:

    • One subscription hosts the Azure resource and the other subscription contains the consumer private endpoint and virtual network.

  • An administrator account for each subscription or an account with permissions in each subscription to create and manage resources.

Resources used in this article:

Resource Subscription Resource group Location
storage1 (This name is unique. Replace with the name you create.) subscription-1 test-rg East US 2
vnet-1 subscription-2 test-rg East US 2
private-endpoint subscription-2 test-rg East US 2

Sign in to subscription-1

Sign in to subscription-1 in the Azure portal.

Register the resource providers for subscription-1

For the private endpoint connection to complete successfully, the Microsoft.Storage and Microsoft.Network resource providers must be registered in subscription-1. Use the following steps to register the resource providers. If the Microsoft.Storage and Microsoft.Network resource providers are already registered, skip this step.

Important

If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.

  1. In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results.

  2. Select subscription-1.

  3. In Settings, select Resource providers.

  4. In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage.

  5. Select Register.

  6. Repeat the previous steps to register the Microsoft.Network resource provider.

Create a resource group

  1. In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results.

  2. Select + Create.

  3. On the Basics tab of Create a resource group, enter or select the following information:

    Setting Value
    Project details
    Subscription Select subscription-1.
    Resource group Enter test-rg.
    Region Select East US 2.

  4. Select Review + Create.

  5. Select Create.

Create a storage account

Create an Azure Storage account for the steps in this article. If you already have a storage account, you can use it instead.

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. Select + Create.

  3. On the Basics tab of Create a storage account, enter or select the following information:

    Setting Value
    Project Details
    Subscription Select your Azure subscription.
    Resource Group Select test-rg.
    Instance details
    Storage account name Enter storage1. If the name is unavailable, enter a unique name.
    Location Select (US) East US 2.
    Performance Leave the default Standard.
    Redundancy Select Locally-redundant storage (LRS).

  4. Select Review.

  5. Select Create.

Obtain the storage account resource ID

You need the storage account resource ID to create the private endpoint connection in subscription-2. Use the following steps to obtain the storage account resource ID.

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. Select storage1 or the name of your existing storage account.

  3. In Settings, select Endpoints.

  4. Copy the entry in Storage account resource ID.

Sign in to subscription-2

Sign in to subscription-2 in the Azure portal.

Register the resource providers for subscription-2

For the private endpoint connection to complete successfully, the Microsoft.Storage and Microsoft.Network resource providers must be registered in subscription-2. Use the following steps to register the resource providers. If the Microsoft.Storage and Microsoft.Network resource providers are already registered, skip this step.

Important

If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.

  1. In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results.

  2. Select subscription-2.

  3. In Settings, select Resource providers.

  4. In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage.

  5. Select Register.

  6. Repeat the previous steps to register the Microsoft.Network resource provider.

The following procedure creates a virtual network with a resource subnet.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot that shows the Basics tab of Create virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. Select Next to proceed to the IP addresses tab.

  6. In the address space box under Subnets, select the default subnet.

  7. On the Edit subnet pane, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default as Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24(256 addresses).

    Screenshot that shows the default subnet rename and configuration.

  8. Select Save.

  9. Select Review + create at the bottom of the screen. After validation passes, select Create.

Create private endpoint

  1. In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.

  2. Select + Create in Private endpoints.

  3. On the Basics tab of Create a private endpoint, enter or select the following information:

    Setting Value
    Project details
    Subscription Select subscription-2.
    Resource group Select test-rg.
    Instance details
    Name Enter private-endpoint.
    Network Interface Name Leave the default of private-endpoint-nic.
    Region Select East US 2.

  4. Select Next: Resource.

  5. Select Connect to an Azure resource by resource ID or alias.

  6. In Resource ID or alias, paste the storage account resource ID that you copied earlier.

  7. In Target sub-resource, enter blob.

  8. Select Next: Virtual Network.

  9. In Virtual Network, enter or select the following information:

    Setting Value
    Networking
    Virtual network Select vnet-1 (test-rg).
    Subnet Select subnet-1.

  10. Select Next: DNS.

  11. Select Next: Tags.

  12. Select Review + Create.

  13. Select Create.

Approve private endpoint connection

The private endpoint connection is in a Pending state until approved. Use the following steps to approve the private endpoint connection in subscription-1.

  1. In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.

  2. Select Pending connections.

  3. Select the box next to your storage account in subscription-1.

  4. Select Approve.

  5. Select Yes in Approve connection.

Next steps

In this article, you learned how to approve a private endpoint connection across subscriptions. To learn more about Azure Private Link, continue to the following articles: