22_1 ‐ Single Private VNet with no internet, having all other services connected like blob storage - SanjeevOCI/Study GitHub Wiki

Azure: VNet with No Internet Connectivity + Connected Block Storage

1. Create a Resource Group

Create a Resource Group to logically organize and isolate all related Azure resources.

2. Create a Virtual Network (VNet)

  • Define a VNet with a non-overlapping CIDR to avoid IP conflicts with existing networks.
    Example: 10.10.0.0/16

3. Create a Private Subnet

  • Assign a smaller CIDR range for workloads.
    Example: 10.10.1.0/24
  • No Public IP assigned to VMs.
  • Subnet not linked to an Internet Gateway (Azure uses a default internet route unless explicitly overridden).

If you want a private subnet with no internet, you override this default internet route by replacing it in a custom Route Table.

Create a Route Table Go to Azure Portal → Route tables → Create. Place it in the same region as your VNet. Add a “Blackhole” Default Route Add a route: Address prefix: 0.0.0.0/0 Next hop type: None (blackhole traffic) (This drops all internet-bound traffic instead of sending it to Azure’s internet gateway.)

4. Gateway Setup

Private Endpoint

  • For accessing Azure services privately (e.g., Blob Storage, Azure Files, Key Vault) without internet.
  • Uses Azure Private Link to keep traffic on Microsoft’s backbone.

Azure Storage Private Endpoint

  • Create a Private Endpoint for Azure Storage in the subnet.
  • This maps the storage account to a private IP from your subnet.

NAT Gateway (Optional)

  • Only if outbound internet access is required for:
    • OS updates
    • External package repositories
  • If not required, skip to ensure no internet connectivity.

5. Route Table Configuration

  • Service/Private Endpoint Route:
    Automatically handled via Private Endpoint DNS resolution to the private IP.
  • No default internet route (0.0.0.0/0) unless NAT Gateway is configured.
  • Associate the custom Route Table with the subnet to block internet routes.

6. Create a VM in the Private Subnet

  • No Public IP
  • Can access:
    • Azure Managed Disks (block storage equivalent)
    • Azure Blob Storage / Azure Files via Private Endpoint
    • External repos (only if NAT Gateway is configured)

7. Configure Network Security Groups (NSGs)

Egress Rules

  • Allow to Storage Private Endpoint subnet/service tag (Storage)
    Protocol: TCP, Port: 443
  • Allow to specific update sources if NAT Gateway is used

Ingress Rules

  • No inbound from internet
  • Allow only from trusted sources (e.g., Bastion Host, VPN Gateway, ExpressRoute)

8. Harden Security

  • Use Azure Firewall or a 3rd-party NVA in private mode for advanced control.
  • Apply least-privilege NSG rules.

9. Storage Configuration

  • OS Disk (default managed disk)
  • Additional Managed Disks if required
  • Configure Azure Backup or Recovery Services Vault
  • Blob Storage for backups via Private Endpoint

10. Verify Access

Use Azure Bastion or VPN for admin access to VMs.
Test:

  • Blob Storage connectivity via Private Endpoint
  • Managed Disk access
  • OS patching (if NAT Gateway configured)