Home > Back-end >  How to create Private Endpoints for 2 storage accounts in Terraform
How to create Private Endpoints for 2 storage accounts in Terraform

Time:04-25

I'm trying to create Private endpoints for 2 storage accounts in different resource groups - linking to a vNet in 3rd resource group.

I believe you can only have one dns_zone and one dns_zone link to link it to vNet? I'm not sure where the EndPoints and the dns zone should be created.. whether in the resource group where the Vnet is or in the resource groups of relevant storage accounts?

The code i have so far:

# Creating a Private DNS Zone for the Private Endpoints
resource "azurerm_private_dns_zone" "pv-dns-zone" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = var.resource_group.name
  #
}

# Linking DNS Zone to the configured VNET
resource "azurerm_private_dns_zone_virtual_network_link" "dns_zone_network_link" {
  name                  = "vnet_link"
  resource_group_name   = var.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.pv-dns-zone.name
  virtual_network_id    = azurerm_virtual_network.abcd-vnt.id
}


# Creating Azure Private Endpoint for 1st Blob Storage
resource "azurerm_private_endpoint" "abcd-endpt" {
  name                = "abcdendpoint"
  location            = var.resource_group.location
  resource_group_name = var.resource_group.name
  subnet_id           = azurerm_subnet.storage_subnet.id

  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.pv-dns-zone.id]
  }

  private_service_connection {
    name                           = "abcd-psc"
    is_manual_connection           = false
    private_connection_resource_id = "/subscriptions/(subscription-id)/resourceGroups/(Resourcegroupname)/providers/Microsoft.Storage/storageAccounts/(storageaccountname)"
    subresource_names              = ["blob"]
  }    
}


# Creating Azure Private Endpoint for 2nd Blob Storage  
resource "azurerm_private_endpoint" "xyz-endpt" {
  name                = "xyz-pe"
  location            = var.resource_group.location
  resource_group_name = var.resource_group.name
  subnet_id           = azurerm_subnet.storage_subnet.id

  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.pv-dns-zone.id]
  }


  private_service_connection {
    name                           = "xyz-pscs"
    is_manual_connection           = false
    private_connection_resource_id = "/subscriptions/(subscriptionid)/resourceGroups/(resourcegroupname)/providers/Microsoft.Storage/storageAccounts/(storageaccountname)"
    subresource_names              = ["blob"]
  }
}

CodePudding user response:

As you mentioned, only one Private DNS Zone type (E.g. privatelink.blob.core.windows.net) can be tied to a VNET. This is so that the VNET knows where to route traffic to.

Resource Groups are generally just logical containers used for access control. Resources you put in each Resource Group generally depends on your organization requirements or location requirements. In line with that, it would only make sense that your Private DNS Zone is in the same Resource Group as your VNET as it's tied to the VNET.

In the future, you could have additional Storage Accounts, in different Resource Groups, for other projects, which will all use the same Private DNS Zone. Hence, it would not make sense to tie a 'shared' resource to a particular project/Resource Group.

On the other hand, Private Endpoints are linked to a specific resource. This means their lifecycle will also be tied to that resource. Hence, it makes more sense for them to be in the same Resource Group as the resource the refer to.

Although it should not really matter which Resource Group you deploy them in the above is really more of a convention to make managing resources more streamlined.

  • Related