Private Endpoints

A private endpoint is a network interface that connects you privately and securely to a PaaS service (like Azure Storage, Azure SQL Database, or Azure Cosmos DB), an Azure solution that supports private link, or your own solution that is powered by Azure Private Link.

The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. This eliminates the need for a public IP address, inbound traffic rules, NAT devices, or complex network configurations.

Note: Private endpoints are the foundational technology for Azure Private Link.

Key Benefits of Private Endpoints

Enhanced Security: Traffic between your virtual network and the service travels over the Microsoft backbone network, reducing exposure to the public internet.
Simplified Network Architecture: Eliminates the need for complex firewall rules and public IP management.
Secure Access to PaaS Services: Allows you to access Azure PaaS services from your virtual network without exposing them to the public internet.
Access to Your Own Services: Enables secure access to your own applications hosted on Azure using private endpoints.

Diagram showing a private endpoint connecting a virtual network to an Azure service

Conceptual diagram of a private endpoint connection.

How Private Endpoints Work

When you create a private endpoint for a service, Azure creates a network interface (NIC) within your virtual network. This NIC is assigned a private IP address from the address space of your subnet.

When traffic is sent to the service through its Private DNS zone or the service's FQDN, it is routed to the private endpoint's IP address within your virtual network. This ensures that the traffic never leaves your virtual network or the Microsoft backbone network.

Creating a Private Endpoint

You can create private endpoints through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. The general steps involve:

Select the resource: Choose the Azure PaaS service or your own service you want to connect to.
Select your virtual network and subnet: Specify where the private endpoint's network interface will reside.
Configure DNS: Set up a Private DNS Zone for the service to ensure name resolution directs traffic to the private IP.

Tip: Using a Private DNS Zone is highly recommended for seamless name resolution of the service through its private endpoint.

Supported Services

Private endpoints are supported for a wide range of Azure services, including:

Azure Storage (Blob, File, Queue, Table)
Azure SQL Database, Azure Synapse Analytics
Azure Cosmos DB
Azure Key Vault
Azure Event Hubs, Azure Service Bus
And many more. Refer to the Azure Private Link availability page for a comprehensive list.

Use Cases

Securely accessing Azure SQL Database from an Azure VM within the same virtual network.
Allowing an Azure Web App to connect to Azure Storage without public internet access.
Enabling on-premises applications to connect to Azure PaaS services securely via VPN or ExpressRoute.

Important: Ensure that your network security group (NSG) rules allow traffic to and from the private endpoint.

Learn More

For detailed steps and advanced configurations, please refer to the official Azure Private Link documentation.