This terraform code configures vnet peering between subcriptions to allow private access to files in storage account over a prviate connection.
Think of an Organization with an Head office and branch office looking to create a secure way for all branches to access archived data over private connection.
The main office in East US had the storage account deployed in their subscription while the branch office in West US have a VM deployed to securely access data over a private endpoint.
Public access is disabled in the storage so communication can only be possible through the private endpont.
Note that for container creation to be possible in the storage account, the variable: public_network_access_enabled must be set to true. It can then be set to false after container creation.
To test conncetivity, login to the dev virtual machine with the randomly generated password securely stored in the terraform.tfstate file and do the following:
- nslookup .privatelink.blob.core.windows.net //This should show the private ip address of the storage account.
- az storage blob list --container-name --connection-string // This is to list the blob created in the container. This command is possible after installing azure cli.
- curl -L https://aka.ms/downloadazcopy-v10-linux -o azcopy.tar.gz
- tar -xf azcopy.tar.gz --strip-components=1
- sudo mv azcopy /usr/local/bin/
- azcopy list <"https://.blob.core.windows.net/***> // SAS URL
Name | Version |
---|---|
azurerm | 3.50.0 |
random | 3.5.1 |
Name | Version |
---|---|
azurerm | 3.50.0 |
azurerm.branch | 3.50.0 |
random | 3.5.1 |
No modules.
Name | Type |
---|---|
azurerm_linux_virtual_machine.branch | resource |
azurerm_network_interface.server | resource |
azurerm_network_security_group.branch | resource |
azurerm_network_security_group.main | resource |
azurerm_private_dns_a_record.archive | resource |
azurerm_private_dns_zone.blob | resource |
azurerm_private_dns_zone_virtual_network_link.main | resource |
azurerm_private_endpoint.blob | resource |
azurerm_public_ip.server | resource |
azurerm_resource_group.branch | resource |
azurerm_resource_group.main | resource |
azurerm_storage_account.main | resource |
azurerm_subnet.branch | resource |
azurerm_subnet.main | resource |
azurerm_subnet_network_security_group_association.branch | resource |
azurerm_subnet_network_security_group_association.main | resource |
azurerm_virtual_network.branch | resource |
azurerm_virtual_network.main | resource |
azurerm_virtual_network_peering.branch | resource |
azurerm_virtual_network_peering.main | resource |
random_password.password | resource |
random_string.random | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
branch_client_id | n/a | any |
n/a | yes |
branch_client_secret | n/a | any |
n/a | yes |
branch_subscription_id | n/a | any |
n/a | yes |
branch_tenant_id | n/a | any |
n/a | yes |
branch_location | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | string |
"westus2" |
no |
environment | (Required) The environment in which the resources are been created. | string |
"dev" |
no |
main_location | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | string |
"eastus2" |
no |
workload | (Required) The workload of the resource created. | string |
"demo" |
no |
No outputs.