Quickstart: Create a private endpoint using the Azure portal

This quickstart guides you through creating a private endpoint and a private link service to enable private connectivity to an Azure service.

Prerequisites

Before you begin, ensure you have:

• An Azure subscription. If you don't have one, create a free account.
• An Azure Virtual Network (VNet) with a subnet.
• An Azure service that supports Private Link (e.g., Azure Storage, Azure SQL Database). For this quickstart, we'll use a simulated Azure Storage account.

Step 1: Create a Simulated Azure Storage Account

For demonstration purposes, we'll simulate an Azure Storage account. In a real scenario, you would deploy an actual storage account.

1. Navigate to the Azure portal (portal.azure.com).
2. Search for and select "Storage accounts".
3. Click "+ Create".
4. Fill in the required fields:
   • Subscription: Select your subscription.
   • Resource group: Create a new one, e.g., rg-privatelink-qs.
   • Storage account name: Enter a globally unique name, e.g., mystorageqs12345.
   • Region: Select your preferred region.
   • Performance: Standard (for quickstart).
   • Redundancy: Locally-redundant storage (LRS) (for quickstart).
5. Click "Review + create", then "Create".

Step 2: Create a Private Endpoint

A private endpoint connects your virtual network to an Azure service privately.

1. In the Azure portal, search for and select "Private Link".
2. Click "+ Create a private endpoint".
3. On the Basics tab:
   • Subscription: Select your subscription.
   • Resource group: Select rg-privatelink-qs.
   • Name: Enter a name for your private endpoint, e.g., pe-privatelink-qs.
   • Region: Select the same region as your VNet.
4. On the Resource tab:
   • Connection method: Select "Connect to an Azure resource".
   • Subscription: Select your subscription.
   • Resource type: Select "Microsoft.Storage\storageAccounts".
   • Resource: Select your simulated storage account (e.g., mystorageqs12345).
   • Target sub-resource: Select "Blob" (or another service like File, Queue, Table).
5. On the Configuration tab:
   • Virtual network: Select your VNet.
   • Subnet: Select your subnet.
   • Private IP configuration: Select "Dynamically allocate IP address".
   • Integrate with private DNS zone: Select "Yes". Azure will automatically create or link to the necessary DNS zone for private resolution.
6. On the Tags tab, you can add tags if desired.
7. Click "Review + create", then "Create".

Step 3: Verify Private Connectivity

After the private endpoint is deployed, you can verify connectivity from a virtual machine within your VNet.

Note: In a real scenario, you would connect to a VM in the same VNet or a peered VNet.

1. Create a virtual machine in the same VNet and subnet (or a peered VNet/subnet).
2. Connect to the VM via RDP or SSH.
3. Open a command prompt or terminal.
4. Use nslookup to query the private endpoint's DNS name. The DNS name format is typically <storageaccountname>.privatelink.<region>.azure.com.
5. You should see the private IP address assigned to your private endpoint.

nslookup mystorageqs12345.privatelink.eastus.azure.com

You can also attempt to access the storage account's blob endpoint using its FQDN. If successful, it will resolve to the private IP.

Step 4: Create a Private Link Service (Optional)

A private link service is used when you want to expose your own Azure service (e.g., in a VNet) to other Azure consumers privately.

1. In the Azure portal, search for and select "Private Link Services".
2. Click "+ Create".
3. On the Basics tab:
   • Subscription: Select your subscription.
   • Resource group: Select rg-privatelink-qs.
   • Region: Select your preferred region.
   • Name: Enter a name, e.g., pls-my-app.
4. On the Configuration tab:
   • Type of service: "Custom".
   • Resource group: Select the resource group containing the service you want to expose.
   • Virtual Network: Select the VNet.
   • Load balancer: Select a Standard SKU Load Balancer that has a backend pool with the service you want to expose.
   • Backend alias: Enter an alias.
   • NAT IP addresses: Automatically assigned or specify.
5. On the Access tab, configure alias, auto-approval, and consumer support.
6. Click "Review + create", then "Create".

Clean up resources

To avoid ongoing charges, delete the resource group you created for this quickstart:

1. In the Azure portal, navigate to "Resource groups".
2. Select the rg-privatelink-qs resource group.
3. Click "Delete resource group" and confirm.

You have now successfully created a private endpoint and verified private connectivity to an Azure service. For more advanced configurations, refer to the full Azure Private Link documentation.