Setting Up Azure Private Link

This guide walks you through the process of setting up Azure Private Link to securely connect your virtual networks to Azure Platform as a Service (PaaS) services and customer-owned/partner-owned services.

1

Understand Requirements

Before you begin, ensure you have the following:

  • An Azure subscription.
  • A virtual network (VNet) in which you want to create the private endpoint.
  • The resource ID of the target Azure service you want to connect to.
  • Appropriate permissions to create resources in your subscription.
Important: Private Link requires the target service to support Private Link integration. Not all Azure services are compatible.
2

Create a Private Endpoint

You can create a private endpoint using the Azure portal, Azure CLI, or PowerShell.

Using the Azure Portal:

  1. Navigate to the Azure portal and search for "Private Endpoint".
  2. Click "Create".
  3. On the "Basics" tab:
    • Select your Subscription and Resource group.
    • Provide a Name for your private endpoint.
    • Select the Region for the private endpoint (this should be the same region as your VNet).
  4. On the "Resource" tab:
    • Select the Connection method: "Connect to an Azure resource from my directory".
    • Choose the Subscription where your target service resides.
    • Select the Resource type (e.g., Microsoft.Sql/servers for SQL Database).
    • Select your specific resource (e.g., your SQL server instance).
    • For the "Target sub-resource", select the appropriate endpoint (e.g., sqlServer).
  5. On the "Configuration" tab:
    • Select the Virtual network and subnet where you want to deploy the private endpoint.
    • For DNS configuration, choose "Integrate with private DNS zone". Azure will automatically create or use an existing private DNS zone.
  6. Review and create the private endpoint.
Tip: For simplified setup, consider using Azure CLI or PowerShell for scripting the creation process.
3

Configure DNS Settings

Proper DNS resolution is crucial for Private Link to function correctly. When you integrate with a private DNS zone during private endpoint creation:

  • Azure automatically creates or updates a private DNS zone (e.g., privatelink.database.windows.net).
  • It creates an A record in this zone that maps the service's fully qualified domain name (FQDN) to the private IP address of your private endpoint.

Ensure that your virtual network is linked to this private DNS zone. If you are connecting from on-premises, you'll need to configure your on-premises DNS servers to resolve these FQDNs either by conditional forwarders to Azure DNS or by creating appropriate DNS records.

# Example of an A record in a private DNS zone
# For an Azure SQL Server named 'mysqldb' in myregion.database.windows.net
# The private endpoint IP might be 10.0.0.4

mysqldb.myregion.privatelink.database.windows.net  IN  A  10.0.0.4
4

Verify Connectivity

Once the private endpoint is created and DNS is configured, you can verify connectivity:

  1. From a virtual machine within the same VNet (or a VNet peered with it and linked to the private DNS zone), try to connect to the target service using its FQDN.
  2. You should be able to connect using the private IP address allocated to the private endpoint.
Caution: Ensure that Network Security Groups (NSGs) applied to the subnet of the private endpoint or the subnet of your client do not block traffic to the target service's private IP and port.

Advanced Configurations

Private Link Service

You can also create a Private Link Service to expose your own applications running in Azure to other Azure customers or partners securely.

Network Policies

Consider configuring network policies on your subnet for Private Endpoints to control their access using NSGs.

Private Link enhances security by keeping traffic within the Azure network, avoiding exposure to the public internet.
Learn More about Private Link Pricing