How to perform Disaster Recovery in Storage with Private Endpoints?

DR in Storage with Private Endpoints

In today’s rapid growth with cloud-based deployments and moving resources from On-Premises Data Center to Azure across regions makes us think about redundancy. Redundancy of services can we within Data center by choosing the Fault domain and Update domains and can range up to setting up the service in different region.

When you have the same service in 2 region and if you want to fail over how do you do it? Also, when you have dependency such as Private Endpoints connected to the service, how do you achieve failover? 

In this blog, we are going to discuss how to achieve Disaster Recovery in Storage with Private Endpoints.  

Microsoft Azure Setup 

Setup Details: 

  1. Create a storage account in West Europe with RA-GRS as account type. 
    Step 1 
  2. Create a Private Endpoint in the West Europe region. You need to deploy a VNET first to deploy Private Endpoint. During the creation if Private Endpoint choose the PE blob as the sub-resource type. 
    Step 2 
  3. Create another VNET in North Europe and deploy another Private Endpoint choosing VNET as North Europe. During the creation of Private Endpoint you need to choose the sub-resource type as blob-secondary. 
    Step 3 
  4. A Private DNS Zone gets created in the process of creating Private Endpoint. You should notice 2 A records pointing to Private IP of the Private Endpoint as shown below: 
Step 4
  1. To test the failover, you need a VM in the West Europe region. Deploy a VM and RDP to the VM: 
    Step 5 

Below are the Nslookup results before failover: 

Primary: 59 IN CNAME 59 IN CNAME 59 IN A 

Secondary: 59 IN CNAME 59 IN CNAME 59 IN A 

In Azure VM:  


Server:  UnKnown 


Non-authoritative answer: 




In order to perform failover, navigate to the Storage Account and choose Geo-redundancy under settings. You can find the “Prepare to failover” option. Click on it to start the failover:  

Storage account

Nslookup results post failover : 

When you query: 59 IN CNAME 59 IN CNAME 42 IN A 

When you query: 59 IN SOA 2093536361 900 300 604800 60 

Inside VM:  


Server:  UnKnown 


Non-authoritative answer: 




As you can see, from inside the VM, it always resolves to which the Private IP of the Private Endpoint in West Europe. But this Private Endpoint will connect to the Storage Account in the North Europe as Azure changes the config in the data path to make sure the Private Endpoint connect to the failed over endpoint. Also, when you failover, the Storage Account becomes LRS and hence the secondary endpoint is no longer active.  

With this you don’t need to make any changes to the DNS part of Private Endpoint as it always points to the active Storage region.  

Hope this blog is useful!! 

Visit our site for more useful blogs.

If you still have any doubt, watch How to perform DR in Storage with Private Endpoints video on our YouTube channel.

You might also like

Leave a Reply

Your email address will not be published. Required fields are marked *