Azure Documentation

Azure Private Link Architecture

Azure Private Link provides a secure and efficient way to access Azure PaaS services and customer-owned services hosted on Azure from within your Azure Virtual Network (VNet) without traversing the public internet. This document outlines the core architectural components and how they interact to achieve private connectivity.

Core Components

  • Virtual Network (VNet): Your isolated network in Azure where your resources reside.
  • Private Endpoint: A network interface that connects your VNet privately and securely to a specific Azure service. It uses a private IP address from your VNet, effectively bringing the service into your network.
  • Private Link Service: A service that you create in your VNet to expose your own customer-owned services (e.g., applications running on Azure VMs or Scale Sets) to other VNets within Azure, using Private Link.
  • Azure Private Link Service Gateway: A managed gateway that Azure provides to abstract the complexity of connecting to your Private Link Service.
  • Azure Storage Account / Azure SQL Database / Other PaaS Services: The Azure services that you want to access privately. These services have a "Private Link enabled" counterpart that can be accessed via a private endpoint.
  • Azure DNS Private Zone: Used to resolve the private IP addresses of Private Endpoints from your VNet.

How it Works: Accessing Azure PaaS Services

Diagram showing Azure Private Link accessing PaaS services
Diagram illustrating Private Link for accessing Azure PaaS services.
  1. A user or application within a VNet initiates a connection to an Azure PaaS service (e.g., Azure Storage).
  2. Instead of resolving to the public endpoint of the service, the DNS resolution (via an Azure DNS Private Zone) resolves the service's FQDN (Fully Qualified Domain Name) to the private IP address assigned to the Private Endpoint.
  3. The traffic travels directly from the VNet, through the Azure backbone network, to the PaaS service. It does not traverse the public internet.
  4. The Private Endpoint acts as the network interface for the service within your VNet.

How it Works: Exposing Your Own Services

Diagram showing Azure Private Link exposing customer-owned services
Diagram illustrating Private Link for exposing customer-owned services.
  1. You deploy your service (e.g., a web application on Azure VMs) behind a Standard Load Balancer in your VNet.
  2. You create an Azure Private Link Service that points to the frontend IP configuration of this Load Balancer.
  3. Consumers (other VNets) establish a Private Endpoint in their VNet that connects to your Private Link Service.
  4. When consumers connect to the Private Endpoint, the traffic is routed through the Azure backbone network to your Private Link Service, then to your Load Balancer, and finally to your service.
  5. All traffic remains within the Azure backbone network, ensuring privacy and security.

Network Security

Azure Private Link enhances network security by:

  • Eliminating public exposure: Services are no longer accessible from the public internet, significantly reducing the attack surface.
  • Leveraging VNet isolation: Traffic stays within your virtual network boundaries or securely traverses the Azure backbone.
  • Enabling granular access control: You can use Network Security Groups (NSGs) and Azure Firewall to control traffic flow to and from private endpoints.
Note: Ensure that your DNS configuration is correctly set up to resolve service FQDNs to the private IP addresses of your private endpoints. Azure DNS Private Zones are the recommended method.
Tip: For complex architectures, consider using Azure Firewall or Network Virtual Appliances (NVAs) in conjunction with Private Link for advanced traffic inspection and policy enforcement.
Warning: Incorrect DNS configuration can lead to connectivity issues. Always verify DNS resolution after creating a private endpoint.