Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Private Link enables you to connect privately to Azure resources. Private Link connections are scoped to a specific subscription. This article shows you how to approve a private endpoint connection across subscriptions.
Prerequisites
- Two active Azure subscriptions: - One subscription hosts the Azure resource and the other subscription contains the consumer private endpoint and virtual network.
 
- An administrator account for each subscription or an account with permissions in each subscription to create and manage resources. 
- Azure Private Link requires the private endpoint and the Private Link service to be in the same tenant, as cross-tenant configurations are not supported. 
Resources used in this article:
| Resource | Subscription | Resource group | Location | 
|---|---|---|---|
| storage1 (This name is unique. Replace with the name you create.) | subscription-1 | test-rg | East US 2 | 
| vnet-1 | subscription-2 | test-rg | East US 2 | 
| private-endpoint | subscription-2 | test-rg | East US 2 | 
Sign in to subscription-1
Sign in to subscription-1 in the Azure portal.
Register the resource providers for subscription-1
For the private endpoint connection to complete successfully, the Microsoft.Storage and Microsoft.Network resource providers must be registered in subscription-1. Use the following steps to register the resource providers. If the Microsoft.Storage and Microsoft.Network resource providers are already registered, skip this step.
Important
If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.
- In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results. 
- Select subscription-1. 
- In Settings, select Resource providers. 
- In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage. 
- Select Register. 
- Repeat the previous steps to register the - Microsoft.Networkresource provider.
Create a resource group
- In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results. 
- Select + Create. 
- On the Basics tab of Create a resource group, enter, or select the following information: - Setting - Value - Project details - Subscription - Select subscription-1. - Resource group - Enter test-rg. - Region - Select East US 2. 
- Select Review + Create. 
- Select Create. 
Create a storage account
Create an Azure Storage account for the steps in this article. If you already have a storage account, you can use it instead.
- In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results. 
- Select + Create. 
- On the Basics tab of Create a storage account, enter or select the following information: - Setting - Value - Project Details - Subscription - Select your Azure subscription. - Resource Group - Select test-rg. - Instance details - Storage account name - Enter storage1. If the name is unavailable, enter a unique name. - Location - Select (US) East US 2. - Performance - Leave the default Standard. - Redundancy - Select Locally-redundant storage (LRS). 
- Select Review. 
- Select Create. 
Obtain the storage account resource ID
You need the storage account resource ID to create the private endpoint connection in subscription-2. Use the following steps to obtain the storage account resource ID.
- In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results. 
- Select storage1 or the name of your existing storage account. 
- In Settings, select Endpoints. 
- Copy the entry in Storage account resource ID. 
Sign in to subscription-2
Sign in to subscription-2 in the Azure portal.
Register the resource providers for subscription-2
For the private endpoint connection to complete successfully, the Microsoft.Storage and Microsoft.Network resource providers must be registered in subscription-2. Use the following steps to register the resource providers. If the Microsoft.Storage and Microsoft.Network resource providers are already registered, skip this step.
Important
If you're using a different resource type, you must register the resource provider for that resource type if it's not already registered.
- In the search box at the top of the portal, enter Subscription. Select Subscriptions in the search results. 
- Select subscription-2. 
- In Settings, select Resource providers. 
- In the Resource providers filter box, enter Microsoft.Storage. Select Microsoft.Storage. 
- Select Register. 
- Repeat the previous steps to register the - Microsoft.Networkresource provider.
The following procedure creates a virtual network with a resource subnet.
- In the portal, search for and select Virtual networks. 
- On the Virtual networks page, select + Create. 
- On the Basics tab of Create virtual network, enter or select the following information: - Setting - Value - Project details - Subscription - Select your subscription. - Resource group - Select Create new. 
 Enter test-rg in Name.
 Select OK.- Instance details - Name - Enter vnet-1. - Region - Select East US 2. 
- Select Next to proceed to the Security tab. 
- Select Next to proceed to the IP addresses tab. 
- In the address space box under Subnets, select the default subnet. 
- On the Edit subnet pane, enter or select the following information: - Setting - Value - Subnet details - Subnet template - Leave the default as Default. - Name - Enter subnet-1. - Starting address - Leave the default of 10.0.0.0. - Subnet size - Leave the default of /24(256 addresses).   
- Select Save. 
- Select Review + create at the bottom of the screen. After validation passes, select Create. 
Create private endpoint
- In the search box at the top of the portal, enter Private endpoint. Select Private endpoints. 
- Select + Create in Private endpoints. 
- On the Basics tab of Create a private endpoint, enter, or select the following information: - Setting - Value - Project details - Subscription - Select subscription-2. - Resource group - Select test-rg. - Instance details - Name - Enter private-endpoint. - Network Interface Name - Leave the default of private-endpoint-nic. - Region - Select East US 2. 
- Select Next: Resource. 
- Select Connect to an Azure resource by resource ID or alias. 
- In Resource ID or alias, paste the storage account resource ID that you copied earlier. 
- In Target sub-resource, enter blob. 
- Select Next: Virtual Network. 
- In Virtual Network, enter or select the following information: - Setting - Value - Networking - Virtual network - Select vnet-1 (test-rg). - Subnet - Select subnet-1. 
- Select Next: DNS. 
- Select Next: Tags. 
- Select Review + Create. 
- Select Create. 
Approve private endpoint connection
The private endpoint connection is in a Pending state until approved. Use the following steps to approve the private endpoint connection in subscription-1.
- In the search box at the top of the portal, enter Private endpoint. Select Private endpoints. 
- Select Pending connections. 
- Select the box next to your storage account in subscription-1. 
- Select Approve. 
- Select Yes in Approve connection. 
Next steps
In this article, you learned how to approve a private endpoint connection across subscriptions. To learn more about Azure Private Link, continue to the following articles:
