How to Use Azure Private Link

This section provides step-by-step guidance on how to implement and manage Azure Private Link to securely connect to Azure services.

Scenario 1: Creating a Private Endpoint for Azure Storage

This guide walks you through the process of creating a private endpoint for an Azure Storage account, allowing secure access from your virtual network.

Step 1: Navigate to Azure Private Link Center

In the Azure portal, search for "Private Link" and select it. Click on "Create a private endpoint".

Step 2: Configure Basics

  • Subscription: Select your Azure subscription.
  • Resource group: Choose an existing resource group or create a new one.
  • Instance details:
    • Name: Provide a descriptive name for your private endpoint (e.g., my-storage-pe).
    • Region: Select the same region as your virtual network.

Step 3: Configure Resource

  • Connection method: Select "Connect to an Azure resource from my directory".
  • Subscription: Select the subscription containing your storage account.
  • Resource type: Choose "Microsoft.Storage/storageAccounts".
  • Resource: Select your Azure Storage account.
  • Target sub-resource: Choose "blob" (or "file", "queue", "table" depending on your needs).

Step 4: Configure Virtual Network

  • Virtual network: Select the virtual network you want to connect from.
  • Subnet: Choose the subnet within your virtual network where the private endpoint will reside.
  • Private DNS integration: Keep "Yes" selected to integrate with Azure Private DNS Zone for name resolution.
    • Private DNS Zone: A default zone will be suggested (e.g., privatelink.blob.core.windows.net).

Step 5: Configure Tags and Review

  • Add any necessary tags for organization.
  • Review all your settings.
  • Click "Create" to deploy the private endpoint.

Tip: Ensure that your DNS resolution is correctly configured to point the storage account's FQDN to the private IP address of the private endpoint. Azure Private DNS Zone handles this automatically if selected.

Scenario 2: Accessing Azure SQL Database with Private Endpoint

Learn how to secure access to your Azure SQL Database using a private endpoint.

  1. Follow similar steps as Scenario 1, but when configuring the Resource:
    • Resource type: Select "Microsoft.Sql/servers".
    • Resource: Select your Azure SQL Database server.
    • Target sub-resource: Choose "sqlServer".
  2. For Private DNS integration, the zone will typically be privatelink.database.windows.net.
  3. Verify connectivity by attempting to connect to your SQL database using its private IP address or its FQDN from a resource within the connected virtual network.

Note: After creating a private endpoint, you may need to update your application's connection strings to use the private endpoint's IP address or FQDN if they were previously configured to use the public endpoint.

Managing Private Endpoints

You can view, modify, and delete your private endpoints through the Azure portal. Key management tasks include:

  • Checking Connection Status: Ensure the private endpoint connection is approved.
  • Updating Network Interfaces: Associate or disassociate network interfaces.
  • Configuring Private DNS Zones: Manually add or modify DNS records if needed.

For more detailed information on specific services and advanced configurations, please refer to the Reference section.