Use Private Link Service with Azure

This article explains how to use Azure Private Link Service to securely access services hosted in Azure or on-premises from your virtual networks.

Prerequisites

• An Azure subscription.
• A virtual network where you want to consume the service.
• A service that you want to expose using Private Link Service (e.g., an Azure Load Balancer with backend services).

Steps to Create and Use a Private Link Service

1. Create a Private Link Service

You'll typically create a Private Link Service on the consumer's side, associated with a standard Load Balancer. The service provider will then connect to this Private Link Service.

1. Navigate to the Azure portal.
2. Search for "Private Link Service" and select it.
3. Click "Create".
4. Select your subscription and resource group.
5. Provide a name for your Private Link Service.
6. Under "Network details", select the region where your service resides.
7. Choose the Load balancer that fronts your service. This must be a Standard SKU Load Balancer.
8. Select the frontend IP configuration of the load balancer.
9. Choose the Network Security Group (NSG) that applies to your backend services.
10. Specify the port forwarding rules if needed.
11. Under "Visibility", choose whether the service should be public or limited. For private access, "Limited" is usually preferred.
12. Add any desired tags.
13. Click "Review + create", then "Create".

2. Allow Consumer Connections

Once the Private Link Service is created, you need to allow specific consumer subscriptions or resource groups to connect to it. This is done through the "Consumer groups" or "Allow listed subscriptions" settings of your Private Link Service.

1. Go to your created Private Link Service in the Azure portal.
2. Under "Settings", select "Consumer groups".
3. Click "Add" to add a new consumer group or specify allowed subscriptions. You can specify a subscription ID or a resource group.

3. Create a Private Endpoint in the Consumer Network

The consumer will create a Private Endpoint in their virtual network to connect to the Private Link Service.

1. In the consumer's Azure subscription, navigate to "Private Endpoint".
2. Click "Create".
3. Select the consumer's subscription, resource group, and a region.
4. Provide a name for the Private Endpoint.
5. In the "Network" tab, under "Resource", select "Connect to an Azure resource in my directory".
6. For "Subscription", select the subscription where the Private Link Service is hosted.
7. For "Resource type", choose Microsoft.Network/privateLinkServices.
8. For "Resource", select the specific Private Link Service you created earlier.
9. For "Target sub-resource", it will likely default to privateLinkServiceConnection.
10. Select the consumer's virtual network and a subnet for the Private Endpoint.
11. Configure DNS settings as required. Often, using a Private DNS Zone is recommended.
12. Review and create the Private Endpoint.

4. Verify Connectivity

After the Private Endpoint is created and the Private Link Service has accepted the connection, you should be able to access your service privately.

• From a VM in the consumer's virtual network, try to connect to the service using its private IP address or its internal DNS name.
• Use tools like ping, telnet, or your application's client to test connectivity.

Key Considerations

• Load Balancer SKU: Private Link Service requires a Standard SKU Azure Load Balancer.
• Visibility: Carefully manage the visibility of your Private Link Service to control who can connect.
• DNS Resolution: Proper DNS configuration is crucial for seamless private access. Use Private DNS Zones to manage the resolution of the service's private IP.
• Network Security Groups (NSGs): Ensure NSGs on both the service producer and consumer sides allow the necessary traffic.
• Pricing: Be aware of the pricing for Private Link Service and Private Endpoints.

Troubleshooting

If you encounter issues:

• Check the status of the Private Endpoint connection in the Azure portal.
• Verify NSG rules are correctly configured.
• Confirm DNS resolution is working as expected.
• Ensure the Private Link Service is configured to allow your consumer's subscription.