Azure Private Link provides a secure and private connection from your virtual network to Azure platform as a service (PaaS) offerings, customer-owned services, and Azure shared services. It enables you to access these services privately without exposing them to the public internet.
Private Link uses Azure Private Endpoint, which is a network interface that connects privately and securely to a service powered by Azure Private Link. A private endpoint is assigned a private IP address from your virtual network, effectively bringing the service into your virtual network.
Key benefits include enhanced security by keeping traffic on the Microsoft backbone, simplified network architecture by eliminating the need for public IPs and NAT, compliance with regulatory requirements, and improved developer productivity with a consistent connection experience.
You can use Private Link to connect to Azure PaaS services (like Azure Storage, Azure SQL Database, Azure Cosmos DB), your own services hosted in Azure or other clouds, and Azure Marketplace services.
An Azure Private Endpoint is a network interface that connects privately and securely to a service powered by Azure Private Link. It's deployed within your virtual network, receiving a private IP address from your virtual network address space.
Azure Private Link Service is a service that you create to expose your own services hosted in Azure to consumers via Azure Private Link. It acts as a bridge, allowing other virtual networks to connect to your service privately.
Not all Azure services support Private Link natively. You can check the Azure Private Link documentation for a comprehensive list of supported services. For services that don't have native support, you might be able to use Azure Private Link Service if you're hosting the service yourself.
A Private Endpoint is used by a consumer to connect to a service. A Private Link Service is used by a provider to expose their service to consumers. Essentially, a Private Endpoint is on the consumer side, and a Private Link Service is on the provider side.
When you create a Private Endpoint, Azure creates a Private DNS Zone for the service and links it to your virtual network. This ensures that when you access the service using its public FQDN, it resolves to the private IP address of your Private Endpoint. You can also use custom DNS servers.
Yes, you can access a private endpoint from your on-premises network if you have established connectivity between your on-premises network and your Azure virtual network. This typically involves Site-to-Site VPN or Azure ExpressRoute.
Yes, Azure Private Link works seamlessly with both Azure ExpressRoute and Site-to-Site VPN connections. Traffic from your on-premises network can reach the private endpoint over these secure connections.
There are quotas and limits on the number of Private Endpoints you can create per subscription and per virtual network. Please refer to the official Azure documentation for the most up-to-date limits.