| title | Configure private endpoints for Azure Elastic SAN |
|---|---|
| description | Learn how to configure private endpoint connections to Azure Elastic SAN volumes for secure network isolation by using Azure portal, PowerShell, or CLI |
| author | roygara |
| ms.service | azure-elastic-san-storage |
| ms.topic | how-to |
| ms.date | 01/09/2026 |
| ms.author | rogarana |
| ms.custom | devx-track-azurecli, devx-track-azurepowershell |
A private endpoint enables you to connect to your Elastic SAN volume group over a private IP address within your virtual network. When you use a private endpoint, traffic between your virtual network and the Elastic SAN stays entirely on Azure's private backbone, without traversing the public internet. Once you configure and approve a private endpoint, it automatically grants access to the subnet where it resides. This configuration provides strong network isolation and is ideal for production or security-sensitive workloads.
This article describes how to configure your Elastic SAN volume group to use private endpoints.
- Deploy an Elastic SAN.
- Read through Learn about networking configurations for Elastic SAN to understand whether private endpoints or service endpoints work better for your environment.
- If you're using Azure PowerShell, install the latest Azure PowerShell module.
- If you're using Azure CLI, install the latest version.
- Once you install the latest version, run
az extension add -n elastic-santo install the extension for Elastic SAN.
Configuring a private endpoint connection involves two steps:
[!div class="checklist"]
- Creating the endpoint and the associated connection.
- Approving the connection.
You must have the Elastic SAN Volume Group Owner role to create a private endpoint for an Elastic SAN volume group. To approve a new private endpoint connection, you must have permission to the Azure resource provider operation Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action. The Elastic SAN Network Admin role includes permission for this operation, but you can also grant it through a custom Azure role.
If you create the endpoint from a user account that has all the necessary roles and permissions for creation and approval, you can complete both steps in one step. Otherwise, two different users must perform two separate steps.
When setting up Private Links, your Elastic SAN and the virtual network can be in different resource groups, regions, and subscriptions. The subscriptions can belong to different Microsoft Entra tenants. In these examples, you create the private endpoint in the same resource group as the virtual network.
You can create a private endpoint connection to your volume group in the Azure portal either when you create a volume group or when modifying an existing volume group. You need an existing virtual network to create a private endpoint.
When creating or modifying a volume group, select Networking, and then select + Create a private endpoint under Private endpoint connections.
Fill out the values in the form that pops up. Select the virtual network and the subnet that your applications will use to connect. When you're done, select Add, and Save.
:::image type="content" source="media/elastic-san-create/elastic-san-private-endpoint.png" alt-text="Screenshot of the volume group private endpoint creation experience." lightbox="media/elastic-san-create/elastic-san-private-endpoint.png":::
The following script creates a private endpoint for your Elastic SAN volume group. Replace the values of RgName, VnetName, SubnetName, EsanName, EsanVgName, PLSvcConnectionName, EndpointName, and Location (region) with your own values. Uncomment -ByManualRequest if you're following the two step process, and then run the script.
If you don't have all necessary permissions and need the network admin to approve the connection, make sure to also run the script in Approve connection.
# Set the resource group name.
$RgName = "<ResourceGroupName>"
# Set the virtual network and subnet, which is used when creating the private endpoint.
$VnetName = "<VnetName>"
$SubnetName = "<SubnetName>"
$Vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $RgName
$Subnet = $Vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq $SubnetName}
# Set the Elastic SAN, which is used when creating the private endpoint service connection.
$EsanName = "<ElasticSanName>"
$EsanVgName = "<ElasticSanVolumeGroupName>"
$Esan = Get-AzElasticSan -Name $EsanName -ResourceGroupName $RgName
# Create the private link service connection, which is input to creating the private endpoint.
$PLSvcConnectionName = "<PrivateLinkSvcConnectionName>"
$EsanPlSvcConn = New-AzPrivateLinkServiceConnection -Name $PLSvcConnectionName -PrivateLinkServiceId $Esan.Id -GroupId $EsanVgName
# Create the private endpoint.
$EndpointName = '<PrivateEndpointName>'
$Location = '<Location>'
$PeArguments = @{
Name = $EndpointName
ResourceGroupName = $RgName
Location = $Location
Subnet = $Subnet
PrivateLinkServiceConnection = $EsanPlSvcConn
}
New-AzPrivateEndpoint @PeArguments # -ByManualRequest # (Uncomment the `-ByManualRequest` parameter if you are using the two-step process).Use this sample code to approve the private link service connection if you're using the two-step process. Use the same variables from the previous code sample:
# Get the private endpoint and associated connection.
$PrivateEndpoint = Get-AzPrivateEndpoint -Name $EndpointName -ResourceGroupName $RgName
$PeConnArguments = @{
ServiceName = $EsanName
ResourceGroupName = $RgName
PrivateLinkResourceType = "Microsoft.ElasticSan/elasticSans"
}
$EndpointConnection = Get-AzPrivateEndpointConnection @PeConnArguments |
Where-Object {($_.PrivateEndpoint.Id -eq $PrivateEndpoint.Id)}
# Approve the private link service connection.
$ApprovalDesc="<ApprovalDesc>"
Approve-AzPrivateEndpointConnection @PeConnArguments -Name $EndpointConnection.Name -Description $ApprovalDesc
# Get the private endpoint connection anew and verify the connection status.
$EndpointConnection = Get-AzPrivateEndpointConnection @PeConnArguments |
Where-Object {($_.PrivateEndpoint.Id -eq $PrivateEndpoint.Id)}
$EndpointConnection.PrivateLinkServiceConnectionStateThe following script creates a private endpoint for your Elastic SAN volume group. Uncomment the --manual-request parameter if you're using the two-step process. Replace all example variable values with your own, then run the script.
If you don't have all necessary permissions and need the network admin to approve the connection, make sure to also run the script in Approve connection.
# Define some variables.
# The name of the resource group where the resources are deployed.
RgName="<ResourceGroupName>"
# The name of the subnet from which access to the volume group will be configured.
VnetName="<VnetName>"
# The name of the virtual network that includes the subnet.
SubnetName="<SubnetName>"
# The name of the Elastic SAN that the volume group belongs to.
EsanName="<ElasticSanName>"
# The name of the Elastic SAN Volume Group to which a connection is to be created.
EsanVgName="<ElasticSanVolumeGroupName>"
# The name of the new private endpoint
EndpointName="<PrivateEndpointName>"
# The name of the new private link service connection to the volume group.
PLSvcConnectionName="<PrivateLinkSvcConnectionName>"
# The region where the new private endpoint will be created.
Location="<Location>"
# The description provided for the approval of the private endpoint connection.
ApprovalDesc="<ApprovalDesc>"
# Get the id of the Elastic SAN.
id=$(az elastic-san show \
--elastic-san-name $EsanName \
--resource-group $RgName \
--query 'id' \
--output tsv)
# Create the private endpoint.
az network private-endpoint create \
--connection-name $PLSvcConnectionName \
--name $EndpointName \
--private-connection-resource-id $id \
--resource-group $RgName \
--vnet-name $VnetName \
--subnet $SubnetName \
--location $Location \
--group-id $EsanVgName # --manual-request
# Verify the status of the private endpoint connection.
PLConnectionName=$(az network private-endpoint-connection list \
--name $EsanName \
--resource-group $RgName \
--type Microsoft.ElasticSan/elasticSans \
--query "[?properties.groupIds[0]=='$EsanVgName'].name" -o tsv)
az network private-endpoint-connection show \
--resource-name $EsanName \
--resource-group $RgName \
--type Microsoft.ElasticSan/elasticSans \
--name $PLConnectionName
Use this sample code to approve the private link service connection if you're using the two-step process. Use the same variables from the previous code sample:
az network private-endpoint-connection approve \
--resource-name $EsanName \
--resource-group $RgName \
--name $PLConnectionName \
--type Microsoft.ElasticSan/elasticSans \
--description $ApprovalDesc
Note
If your Elastic SAN and the private endpoint are in different subscriptions, register the Microsoft.ElasticSan resource provider in the subscription that contains the private endpoint. Follow the steps in this article to approve and register private endpoints.
Virtual network rules don't apply to private endpoints. To refine access rules and control traffic over a private endpoint, use network policies. By default, network policies are disabled for a subnet in a virtual network. To use network policies like user-defined routes and network security group support, enable network policy support for the subnet. This setting only applies to private endpoints in the subnet and affects all private endpoints in the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group. For details, see Network Policies.
After you enable the desired endpoints, you're ready to configure your clients to connect to the appropriate Elastic SAN volumes.
If a connection between a virtual machine (VM) and an Elastic SAN volume is lost, the connection retries for 90 seconds until terminating. Losing a connection to an Elastic SAN volume doesn't cause the VM to restart.