Edit

Share via

Restrict import/export access for managed disks using Azure Private Link

  • How-to

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

In this article, you create a disk access resource and use private endpoints to restrict the export and import of managed disks over a private link from clients on your Azure virtual network. This configuration ensures that import/export operations on disks with this configuration occurs within your Azure virtual network.

Following the steps in this article only affects the import and export of your disks, it doesn't affect the ability of your VMs to access disks directly attached to them.

Prerequisites

None

Limitations

  • You can't import or export more than five disks or snapshots at the same time with the same disk access object.
  • You can't upload to a disk with both a disk access object and a disk encryption set.

Create a disk access resource

To use Private Link to export and import managed disks, create a disk access resource and link it to a virtual network in the same subscription by creating a private endpoint. Then, associate a disk or a snapshot with a disk access instance.

  1. Sign in to the Azure portal and navigate to Disk Accesses.

  2. Select + Create to create a new disk access resource.

  3. On the Create a disk accesses pane, select your subscription and a resource group. Under Instance details, enter a name and select a region.

    Screenshot of disk access creation pane. Fill in the desired name, select a region, select a resource group, and proceed.

  4. Select Review + create.

  5. When your resource has been created, navigate directly to it.

    Screenshot of the Go to resource button in the portal.

Create a private endpoint

Next, you'll need to create a private endpoint and configure it for disk access.

  1. From your disk access resource, under Settings, select Private endpoint connections.

  2. Select + Private endpoint.

    Screenshot of the overview pane for your disk access resource. Private endpoint connections is highlighted.

  3. In the Create a private endpoint pane, select a resource group.

  4. Provide a name and select the same region in which your disk access resource was created.

    Screenshot of the private endpoint creation workflow, first pane. If you do not select the appropriate region then you may encounter issues later on.

  5. Select Next: Resource.

  6. On the Resource pane, select Connect to an Azure resource in my directory.

  7. For Resource type, select Microsoft.Compute/diskAccesses.

  8. For Resource, select the disk access resource you created earlier.

  9. Leave the Target sub-resource as disks.

    Screenshot of the private endpoint creation workflow, second pane. With all the values highlighted (Resource type, Resource, Target sub-resource).

  10. Select Next : Configuration.

  11. Select the virtual network to which you will limit disk import and export. This prevents the import and export of your disk to other virtual networks.

    Note

    If you have a network security group enabled for the selected subnet, it will be disabled for private endpoints on this subnet only. Other resources on this subnet will retain network security group enforcement.

  12. Select the appropriate subnet.

    Screenshot of the private endpoint creation workflow, third pane. Virtual network and subnet emphasized.

  13. Select Review + create.

Enable private endpoint on your disk

Follow these steps:

  1. Navigate to the disk you'd like to configure.

  2. Under Settings, select Networking.

  3. Select Private endpoint (through disk access) and select the disk access you created earlier.

    Screenshot of the managed disk networking pane. Highlighting the private endpoint selection as well as the selected disk access. Saving this configures your disk for this access.

  4. Select Save.

    You've now configured a private link that you can use to import and export your managed disk. You can import using the Azure CLI or the Azure PowerShell module. You can export either Windows or Linux VHDs.

Related content