Setup a Private Storage Link

MK.IO provides an easy integration of storage accounts in the UI under the Storage Accounts topic in the left menu. However, you might want to add an extra level of security to the exchanges between MK.IO and your storage.

Below is a sample curl request doing just that (also see Create a Storage Account). Ahead of this call, you will need a storage account configured in Azure and make sure that you have the subscription ID, resource group and storage account name.

curl --request POST \
     --url \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-mkio-token: " token" \
     --data '
  "spec": {
    "azureStorageConfiguration": {
      "privateLinkServiceConnection": {
        "requestMessage": "Request access message",
        "subscriptionId": "storage_account_subscription",
        "storageAccountName": "storage_account_name",
        "resourceGroupName": "storage_account_resource_group"
      "url": "blob_service_sas_url"
    "type": "Microsoft.Storage",
    "description": "myStorage",
    "location": "uksouth",
    "name": "myStorage"

Upon successful creation of the storage account, MK.IO will issue a request to the storage account and give the request message as the description of the connection request.

The request will remain pending until an explicit approval is done by the owner of the storage account in Azure. To list the pending connection requests, you will need to browse to the Networking configuration section of your storage account in Azure and open the Private endpoint connections tab as shown below:

Select the connection you want approve and hit the Approve button. You can use the description message to validate that this is the request from MK.IO.

Validate the connection by clicking on Yes.

All the exchanges between MK.IO and your storage are now behind a private link that provide an extra security level on top of the SAS token.