Azure Private Link – Networking Services

Private Link Overview

Azure Private Link enables you to access Azure PaaS services (for example, Azure Storage, Azure SQL Database, Azure Key Vault) and your own services over a private endpoint in your virtual network. This eliminates exposure to the public internet and simplifies network architecture.

Secure connectivity: traffic stays on the Microsoft backbone network.
Reduced data exfiltration risk: no need for public IPs.
Simplified DNS: private DNS zones resolve the service endpoint.
Integrated with Azure RBAC: granular access control.

Getting Started

Setup

Prerequisites

Demo

Follow these steps to create a Private Endpoint for an Azure Storage account:

Navigate to the storage account > Networking > Private endpoint connections.
Click + Private endpoint and fill the basics (subscription, resource group, name).
Select the virtual network and subnet where the endpoint will reside.
Choose the target sub‑resource (Blob, Table, Queue, or File).
Approve the connection request if you are the resource owner.
Configure DNS – either Azure DNS private zones or your custom DNS server.

An Azure subscription with at least one resource group.
A virtual network with a dedicated subnet for private endpoints.
The Azure service you want to connect to (e.g., Storage, SQL, Key Vault).
Network permissions (Network Contributor) on the target VNET.

Below is a Bicep snippet that deploys a private endpoint for an Azure Storage account.

param location string = resourceGroup().location
param storageAccountName string
param vnetName string
param subnetName string

resource storage 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
  name: storageAccountName
}

resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = {
  name: vnetName
}

resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
  parent: vnet
  name: subnetName
}

resource pe 'Microsoft.Network/privateEndpoints@2022-07-01' = {
  name: '${storageAccountName}-pe'
  location: location
  properties: {
    subnet: {
      id: subnet.id
    }
    privateLinkServiceConnections: [
      {
        name: 'storage-connection'
        properties: {
          privateLinkServiceId: storage.id
          groupIds: [ 'blob' ]
        }
      }
    ]
  }
}

Best Practices

Use separate subnets for private endpoints to apply dedicated NSGs.
Enable Private Endpoint DNS integration to simplify name resolution.
Monitor private endpoint traffic with Azure Monitor and Network Watcher.
Leverage Private DNS zones to avoid public DNS queries.
Regularly review and audit private endpoint connections via Azure Policy.

Microsoft Docs - Azure Networking

Private Link Overview

Getting Started

Best Practices

Related Services