Create a Private Endpoint Connection

This document guides you through the process of creating a private endpoint connection to an Azure service. This allows you to securely connect to Azure services from within your virtual network without exposing your data to the public internet.

Note: A private endpoint connection is a resource that represents the connection from your virtual network to a specific Azure service.

Prerequisites

An Azure subscription.
A virtual network with subnets configured.
An Azure service for which you want to create a private endpoint (e.g., Azure Storage, Azure SQL Database, Azure Key Vault).
Appropriate permissions to create resources in your Azure subscription.

Steps to Create a Private Endpoint Connection

Method 1: Using the Azure Portal

Navigate to the Azure portal (portal.azure.com).
Search for and select the Azure service you want to connect to. For example, search for "Storage accounts".
On the service's overview page, look for a "Networking" or "Connections" section. Select "Private endpoint connections".
Click on "+ Create a private endpoint".
In the "Create a private endpoint" blade, fill in the following details:
- Subscription and Resource group where the private endpoint will reside.
- Instance details:
  - Name: A unique name for your private endpoint.
  - Region: The region where your virtual network resides.
- Resource tab:
  - Connection method: Choose "Connect to an Azure resource the my resource ID or alias" or "Connect to an Azure service at this resource".
  - Subscription: The subscription containing the target Azure service.
  - Resource type: Select the type of Azure service.
  - Resource name: Select the specific instance of the Azure service.
  - Target sub-resource: Specify the sub-resource of the service you want to connect to (e.g., `blob` for Storage accounts).
- Configuration tab:
  - Virtual network: Select your virtual network.
  - Subnet: Select the subnet within your virtual network for the private endpoint.
  - IP configuration: Typically, "Dynamically allocate IP address" is sufficient.
  - Integrate with Azure private DNS zone: Enable this for simplified DNS resolution. If enabled, select or create a private DNS zone.
- Tags tab: (Optional) Add tags for resource management.
- Review and click "Create".
Once the private endpoint is created, you might need to approve the connection from the target Azure service's side if it's not automatically approved (e.g., for some services, you might see a pending connection that needs approval).

Method 2: Using Azure CLI

This example demonstrates creating a private endpoint for an Azure Storage account.


# Variables
RESOURCE_GROUP="myResourceGroup"
VNET_NAME="myVNet"
SUBNET_NAME="mySubnet"
PRIVATE_ENDPOINT_NAME="myPrivateEndpoint"
TARGET_STORAGE_ACCOUNT_ID="/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/myStorageResourceGroup/providers/Microsoft.Storage/storageAccounts/yourstorageaccountname"
PRIVATE_DNS_ZONE_ID="/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"

# Get subnet ID
SUBNET_ID=$(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --query id -o tsv)

# Create the private endpoint
az network private-endpoint create \
  --resource-group $RESOURCE_GROUP \
  --name $PRIVATE_ENDPOINT_NAME \
  --vnet-name $VNET_NAME \
  --subnet $SUBNET_ID \
  --private-connection-resource-id $TARGET_STORAGE_ACCOUNT_ID \
  --group-ids blob \
  --location $VNET_NAME # Use the same location as VNET for simplicity

# Create the private DNS zone group (if not already exists)
az network private-endpoint dns-zone-group create \
  --resource-group $RESOURCE_GROUP \
  --endpoint-name $PRIVATE_ENDPOINT_NAME \
  --name "myDnsZoneGroup" \
  --private-dns-zone $PRIVATE_DNS_ZONE_ID

Tip: For other Azure services, you will need to find the correct --group-ids value and the corresponding private DNS zone ID. Refer to the specific service documentation for details.

Verifying the Connection

After creation, you can verify the connection by:

Checking the status of the private endpoint connection in the Azure portal.
Attempting to access the Azure service from a virtual machine within your virtual network using its private IP address or a private DNS name.

Important: Ensure your DNS resolution is correctly configured to resolve the service's FQDN to the private IP address of the private endpoint.