Azure Private Endpoints

A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Link allows you to access Azure PaaS Services (like Azure Storage and SQL Database) and Azure hosted customer-owned/partner services or Azure shared services through a private endpoint in your virtual network. Traffic between your virtual network and the service travels the Microsoft backbone network, eliminating exposure from the public internet.

What is a Private Endpoint?

A private endpoint is a specific IP address within your virtual network that points to a specific instance of an Azure service. This allows you to:

• Access Azure PaaS services without traversing the public internet.
• Securely connect to Azure services from your on-premises networks using VPN or ExpressRoute.
• Isolate sensitive data and services within your private network boundary.
• Leverage Azure Private Link for a secure and managed connection.

Key Concepts

Private Link Service

A private link service is a type of Azure Load Balancer that enables you to create your own private link service. It allows customers to consume your Azure-hosted application from their own virtual network.

Network Interface (NIC)

The private endpoint itself is represented by a Network Interface (NIC) in your virtual network. This NIC is assigned a private IP address from your virtual network's address space.

Private DNS Zone

When you create a private endpoint, it's often associated with a private DNS zone. This zone maps the service's fully qualified domain name (FQDN) to the private IP address of the private endpoint, ensuring that traffic to the service is routed correctly.

How it Works

1. Creation: You create a private endpoint in your virtual network, specifying the target Azure service and the desired subnet.
2. IP Assignment: Azure assigns a private IP address from your subnet to the private endpoint's NIC.
3. DNS Configuration: A private DNS zone is typically created or linked, mapping the service's FQDN to the private IP address.
4. Connection: When a resource in your virtual network (or connected on-premises network) attempts to access the target service using its FQDN, DNS resolution directs the traffic to the private IP address of the private endpoint.
5. Routing: The traffic then flows over the Microsoft backbone network directly to the specific instance of the Azure service, bypassing the public internet.

Use Cases

• Connecting to Azure SQL Database or Azure Database for PostgreSQL privately.
• Accessing Azure Storage accounts (Blob, File, Queue, Table) securely.
• Connecting to Azure Key Vault without public access.
• Securing access to Azure Cache for Redis.
• Enabling private access to custom applications hosted on Azure.

Creating a Private Endpoint

You can create private endpoints using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Azure CLI Example:

az network private-endpoint create \
    --name MyPrivateEndpoint \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --subnet MySubnet \
    --prod-name <your-service-name> \
    --group-ids <your-service-group-id> \
    --location eastus
            

Replace placeholders like MyPrivateEndpoint, MyResourceGroup, MyVNet, MySubnet, <your-service-name>, and <your-service-group-id> with your specific values.

Managing Private Endpoints

Once created, private endpoints can be viewed, edited, or deleted through the Azure portal or using command-line tools. You can also manage their associated network security groups if needed.