Create Azure Private Endpoints for Secure Storage Account Connectivity
After you onboard Illumio Segmentation for Cloud, services reach out to the storage account to read the traffic flows stored in Blob storage. However, most enterprise storage accounts are protected by Azure Storage Firewalls, which block all public network access by default. Deny is the default network rule, so your flow data cannot be read.
Connectivity Options
You can use two approaches to establish connectivity between your data and your firewall-protected storage account:
Option | Approach |
|---|---|
IP Allowlisting | Add the Illumio data plane's public IP addresses to your storage account's firewall allowed list |
Private Endpoint | Create a private network connection from the Illumio data plane directly to your storage account |
About IP Allowlisting
When the Illumio service (the data plane) and your storage account are both in the same region, allowlisting the Illumio public IP addresses does not function properly. Because of Microsoft’s backbone routing behavior, this traffic remains on their internal network and does not transit the Internet. From your storage account’s point of view, this request is arriving from an internal, non-public IP source and does not match any allowlisted IP ranges you might have applied.
About Azure Private Endpoints
An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your VNet and brings the service into your virtual network.
When you use an Azure Private Endpoint for Illumio access:
The storage account receives a private IP address within the Illumio data plane virtual network.
Traffic flows entirely over Microsoft's backbone network and never crosses the public internet.
Automatic DNS resolution maps your storage account's FQDN to the private IP.
Use a Private Endpoint if:
Your storage account's region matches the region of the Illumio data plane.
Your storage account's networking is set to Disabled.
If Illumio flow reader services report connectivity errors to your storage account, you might need to create a private endpoint.
The process is as follows:
A private endpoint is created in the Illumio data plane's virtual network
Azure assigns a private IP address (such as 10.0.1.5) to the endpoint.
A private link connection request is sent to your storage account.
You approve the pending connection request in your Azure Portal’s Private Link Center
DNS is configured so that <yourstorageaccount.blob.core.windows.net> resolves to the private IP.
Illumio’s flow reader service connects to your storage account using the private IP over Azure's backbone network.
After you configure the private endpoint, connectivity errors should be resolved.
The following table describes the Azure resources created within Illumio when you establish a private endpoint:
Resource | Description | Purpose |
|---|---|---|
Private Endpoint | Network interface with the private IP | Serves as the entry point for private connectivity to the user's storage account |
Network Interface | Associated with the private endpoint | Holds the private IP address allocated from the VNet's subnet |
Private DNS Zone | Enables automatic DNS resolution of the user's storage account to the private IP | |
DNS Zone Virtual Network Link | Links the DNS zone to the VNet | Ensures the VNet uses the private DNS zone for resolution |
DNS A Record | Maps the customer's storage account FQDN to a private IP | `customer_storageaccount` → `10.x.x.x` |
The following resources are created in your subscription:
Resource | Description | Action Required |
|---|---|---|
Private Endpoint Connection | Appears under the user's storage account's networking settings | Users must approve this connection from their Azure Private Link Center |
If you want to set up Private Endpoint connectivity from Illumio to your Azure Storage Account, contact your Illumio representative.