Quickstart: Set up Azure Private Link
This quickstart guide walks you through the steps to set up Azure Private Link, allowing you to securely access Azure Platform as a Service (PaaS) resources or your own services within a virtual network using a private endpoint.
Prerequisites
- An active Azure subscription. If you don't have one, create a free account before you begin.
- A virtual network and subnet where you will deploy your private endpoint.
- An Azure resource that supports Private Link (e.g., Azure Storage, Azure SQL Database). For this example, we'll use Azure Storage.
Step 1: Create an Azure Storage Account
If you don't have an existing storage account, create one:
- Go to the Azure portal.
- Search for "Storage accounts" and select it.
- Click "Create".
- Fill in the required details (Subscription, Resource group, Storage account name, Region, Performance, etc.).
- Click "Review + create", then "Create".
Step 2: Create a Private Endpoint
You will create a private endpoint for your storage account. This endpoint will reside in your virtual network.
In the Azure portal, search for "Private Link center" and select it.
Under "Private endpoints", click "Create".
On the "Basics" tab, fill in the following details:
- Subscription: Select your subscription.
- Resource group: Select an existing resource group or create a new one.
- Name: Enter a name for your private endpoint (e.g.,
my-storage-pe). - Region: Select the same region as your virtual network.
On the "Resource" tab:
- Connection method: Select "Connect to an Azure resource in my directory".
- Subscription: Select the subscription where your storage account resides.
- Resource type: Select "Microsoft.Storage\storageAccounts".
- Resource: Select your storage account.
- Target sub-resource: Select "blob" (or "file", "queue", "table" depending on your needs).
On the "Virtual Network" tab:
- Virtual network: Select your virtual network.
- Subnet: Select the subnet within your virtual network.
- Private DNS integration: Leave as "Yes" to create a private DNS zone.
On the "Tags" tab (optional), add tags if needed.
Click "Review + create". Once validation passes, click "Create".
Step 3: Verify Private Endpoint Connectivity
After the private endpoint is deployed, you should be able to access your storage account privately.
- Deploy a virtual machine (VM) in the same virtual network as your private endpoint.
- Connect to the VM.
- Open a web browser on the VM and navigate to the Azure portal.
- Search for and select your storage account.
- Go to "Access keys" under "Security + networking". Note that publicly accessible endpoints might still show, but your private endpoint is the preferred access method.
- Try accessing a blob or file share within your storage account. It should now be accessible via the private IP address assigned to your private endpoint.
Accessing via Private DNS
If you enabled Private DNS integration, Azure automatically creates a private DNS zone and a record set for your storage account's FQDN (e.g., yourstorageaccount.blob.core.windows.net). This record points to the private IP address of your private endpoint.
You can verify this in the Azure portal under your private endpoint's resource page, then look for "DNS configuration".
Next Steps
You have successfully set up a basic Azure Private Link configuration. Consider exploring:
- Securing your storage account by disabling public network access.
- Creating private endpoints for other Azure services.
- Using Azure Private Link service to expose your own services privately.
- Managing Private Link configurations using Azure CLI or PowerShell.
For more detailed information and advanced scenarios, refer to the Azure Private Link documentation.