Airlock function private endpoint for internal storage

[tamirkamara]

What is being addressed

The Airlock Function uses a storage account internally but does it over public network.
This is part of #2518

How is this addressed

• Add Private Endpoint(s) for the storage account
• Block public internet access to the storage account

[github-actions]

Unit Test Results

1 tests   - 2   1 ✔️  - 1   26m 14s ⏱️ - 1h 11m 9s
1 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌  - 1 

Results for commit 21ae692. ± Comparison against base commit 99d772d.

This pull request removes 2 tests.

test_workspace_services ‑ test_create_guacamole_service_into_aad_workspace
test_workspace_services ‑ test_create_guacamole_service_into_base_workspace

♻️ This comment has been updated with latest results.

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/3168701959 (with refid 0506cfe0)

(in response to this comment from @tamirkamara)

[guybartal]

LGTM

[yuvalyaron]

@tamirkamara
why does the airlock function need a private endpoint?
isn't a firewall rule in the storage account enough?

[tamirkamara]

@tamirkamara why does the airlock function need a private endpoint? isn't a firewall rule in the storage account enough?

@yuvalyaron I imagine you'd define a rule with the subnet/vnet internal address, right? A private endpoint is essencially a way to give the storage account an ip address in the vnet and by such we make sure all communication is done over private network. IIRC, you need this anyway for the firewall rule mentioned above.