Quickstart: Create a Private Endpoint for an Azure service
This quickstart guides you through creating a private endpoint for an Azure service, enabling secure private access from your virtual network.
Prerequisites
- An Azure subscription. If you don't have one, create a free account before you begin.
- An existing Azure virtual network (VNet) and subnet.
- An Azure service (e.g., Azure Storage, Azure SQL Database) that supports private endpoints. For this quickstart, we'll use Azure Storage. Ensure you have a Storage Account created.
Steps to Create a Private Endpoint
1Create a Private Endpoint
You can create a private endpoint using the Azure portal, Azure CLI, or Azure PowerShell.
Using the Azure Portal
- In the Azure portal, search for and select Private Link.
- In the Private Link overview, select Create a private endpoint.
- On the Basics tab:
- Subscription: Select your Azure subscription.
- Resource group: Select or create a resource group.
- Name: Enter a name for your private endpoint (e.g.,
myPrivateEndpoint).
- Region: Select the same region as your VNet.
- On the Resource tab:
- Connection method: Select Connect to an Azure resource the my workspace.
- Subscription: Select the subscription where your target Azure service resides.
- Resource type: Select the type of resource (e.g.,
Microsoft.Storage/storageAccounts).
- Resource: Select your Azure Storage Account.
- Target sub-resource: Select the specific sub-resource (e.g.,
file for Azure Files or blob for Azure Blob Storage).
- On the Virtual Network tab:
- Virtual network: Select your existing VNet.
- Subnet: Select the subnet where you want to deploy the private endpoint.
- Private DNS integration: Enable this if you want Azure to automatically create or update DNS records for your private endpoint. Select Yes and choose or create a Private DNS Zone (e.g.,
privatelink.blob.core.windows.net).
- On the Tags tab, you can optionally add tags.
- Select Review + create and then Create.
Using Azure CLI
Replace the placeholder values with your own.
az network private-endpoint create \
--name myPrivateEndpoint \
--resource-group myResourceGroup \
--vnet-name myVnet \
--subnet mySubnet \
--private-connection-resource-id "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/YOUR_STORAGE_ACCOUNT_NAME" \
--group-id blob \
--connection-name myConnection \
--location westus2
For Private DNS integration with Azure CLI, you would typically create the private DNS zone and link it separately.
2Verify the Private Endpoint
Once deployed, you can verify the private endpoint:
- Navigate to your Private Endpoint resource in the Azure portal.
- Check the Overview for the connection status.
- If you enabled Private DNS integration, verify that the DNS record has been created in your selected Private DNS Zone.
3Test Private Connectivity
To test, deploy a virtual machine (VM) within the same VNet or a peered VNet. From the VM, attempt to access the Azure service using its private endpoint IP address or the private DNS name.
For example, using Azure CLI from your VM:
# Replace with your storage account's blob endpoint and private IP
curl "https://YOUR_STORAGE_ACCOUNT_NAME.blob.core.windows.net"
If successful, you should see the XML response from the storage account, indicating successful access over the private endpoint.
Important: After creating a private endpoint, you might need to update network security groups (NSGs) associated with your subnet to allow traffic to the private endpoint's IP address. You should also remove any existing public endpoint access rules if you intend to restrict access solely through the private endpoint.
Tip: For more complex scenarios or other Azure services, consult the specific documentation for integrating with Private Link. This ensures you select the correct target sub-resource and configure DNS appropriately.
Congratulations! You have successfully created and verified a private endpoint for an Azure service.