Setting up Azure Private Link

This guide provides step-by-step instructions to set up Azure Private Link for secure and private connectivity to your Azure PaaS services or your own services hosted on Azure.

Prerequisites

Before you begin, ensure you have the following:

  • An active Azure subscription.
  • An Azure Virtual Network (VNet) where you want to establish private connectivity.
  • Permissions to create and manage Azure resources, including Private Link resources and network resources.
  • The service you want to connect to privately must support Private Link. This includes Azure services like Azure SQL Database, Azure Storage, Azure Key Vault, and custom services.

Steps to Set Up Azure Private Link

1. Create a Private Endpoint

A Private Endpoint is a network interface that connects privately and securely to a specific Azure service. You can create a Private Endpoint using the Azure portal, Azure CLI, or PowerShell.

Using Azure Portal:

  1. Navigate to the Azure portal and search for "Private endpoint".
  2. Click "Create".
  3. Basics:
    • Select your Subscription and Resource group.
    • Enter a Name for your private endpoint.
    • Choose a Region for the private endpoint.
  4. Resource:
    • Under Connection method, choose "Connect to an Azure resource from my directory" or "Connect to an Azure resource by resource ID or alias".
    • Select the Subscription where the target resource resides.
    • Choose the Type of resource (e.g., Microsoft.Sql/servers for Azure SQL).
    • Select the Instance of the resource you want to connect to.
  5. Configuration:
    • Select the Virtual network and Subnet within your VNet.
    • (Optional) Configure Private DNS integration. It's highly recommended to enable this for simplified DNS resolution.
  6. Tags: (Optional) Add tags for organization.
  7. Click "Review + create" and then "Create".

Using Azure CLI:

Replace placeholders with your specific values.


az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group myResourceGroup \
    --vnet-name myVNet \
    --subnet mySubnet \
    --private-connection-resource-id "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/TARGET_RESOURCE_GROUP/providers/MICROSOFT.SQL/servers/YOUR_SQL_SERVER" \
    --group-id sqlServer \
    --connection-name myConnection \
    --location eastus

2. Configure DNS Resolution

For your applications to resolve the service FQDN (Fully Qualified Domain Name) to the private IP address of the private endpoint, you need to configure DNS. This is typically done using Azure Private DNS zones.

  • If you enabled Private DNS integration during Private Endpoint creation, Azure will automatically create and link the appropriate Private DNS zone.
  • If you need to set it up manually:
    • Create an Azure Private DNS Zone (e.g., privatelink.sql.azure.com).
    • Link this DNS zone to your Virtual Network.
    • Create an 'A' record within the Private DNS zone that maps the service's FQDN to the private IP address assigned to your Private Endpoint.
Note: Ensure your on-premises DNS resolution is configured to forward Private Link DNS queries to Azure, or use Azure DNS forwarders to resolve these private endpoints.

3. Test Connectivity

Once the private endpoint and DNS are configured, you can test the connectivity from a virtual machine or other resources within the same VNet (or peered VNets). Try accessing the service using its FQDN.

For example, to connect to an Azure SQL Server:


# From a VM in the VNet connected via Private Endpoint
telnet YOUR_SQL_SERVER.database.windows.net 1433

If the connection is successful, you should see a blank screen or a connection established message, indicating that traffic is routing through the private endpoint.

Considerations

  • Network Security Groups (NSGs): NSGs applied to the subnet of the private endpoint will not affect traffic flowing to the private endpoint itself. Traffic to the service is controlled at the service level.
  • Firewall Rules: Ensure that any firewall rules on the target Azure service (e.g., Azure SQL Firewall) are configured to allow access from the VNet or specific subnets where your private endpoints reside, if applicable.
  • Service Endpoints vs. Private Endpoints: Understand the difference. Service Endpoints secure access to Azure services at the VNet level, while Private Endpoints provide a dedicated private IP address for a specific instance of a service.
  • High Availability: For services that support it, consider deploying multiple private endpoints in different subnets or availability zones for redundancy.

Next Steps

Now that you have successfully set up Azure Private Link, you can explore: