Azure Virtual Networks: Private Endpoints

Last updated: October 26, 2023

On this page

Introduction

Azure Private Endpoint provides the most secure way to access Azure Platform as a Service (PaaS) resources, such as Azure Storage and Azure SQL Database, or customer-owned/partner services in Azure Virtual Network. Instead of exposing the resource to the public internet, a private endpoint provides a private IP address from your virtual network to the resource. This effectively brings the resource into your virtual network, allowing you to control access and reduce your attack surface.

This article delves into the functionality, benefits, and implementation of Azure Private Endpoints, offering a comprehensive guide for developers and network administrators.

What are Private Endpoints?

A private endpoint is a network interface that connects any virtual machine in your virtual network to an Azure service using a private IP address. When you create a private endpoint for a service, it provides a dedicated connection from your virtual network to that service. Traffic between your virtual network and the service travels over the Microsoft backbone network, eliminating exposure to the public internet.

Key characteristics:

  • Private IP Address: Assigned from your virtual network's address space.
  • Resource Association: Directly links to a specific Azure PaaS resource or a customer/partner service.
  • Private Connectivity: Leverages the Azure backbone for secure communication.
Azure Private Endpoint Architecture Diagram

Conceptual diagram illustrating Azure Private Endpoint connectivity.

Benefits of Private Endpoints

Using private endpoints offers several significant advantages for your cloud architecture:

  • Enhanced Security: Reduces the attack surface by keeping traffic off the public internet. Data remains within the Azure network.
  • Simplified Network Architecture: Eliminates the need for complex network security configurations like NAT gateways or VNet peering for specific service access.
  • Compliance: Helps meet regulatory and compliance requirements by enforcing private access to sensitive data.
  • Seamless Integration: Integrates with existing virtual networks and DNS configurations.
  • No Public IP Exposure: The target Azure service does not require a public IP address for access via a private endpoint.

How It Works

When you create a private endpoint, Azure performs the following actions:

  1. Network Interface Creation: A network interface (NIC) is created in your virtual network's subnet. This NIC is assigned a private IP address from that subnet.
  2. Service Association: The private endpoint is associated with a specific Azure service instance (e.g., a particular Azure Storage account).
  3. DNS Configuration: Azure Private DNS Zone is typically used to map the service's fully qualified domain name (FQDN) to the private IP address of the private endpoint. This ensures that when your applications try to resolve the service's name, they get the private IP.
  4. Traffic Routing: When a resource in your virtual network (or a connected network) tries to access the service using its FQDN, DNS resolution directs the traffic to the private endpoint's IP address. The traffic then traverses the Microsoft backbone to reach the service.

Note: For private endpoint connectivity to work, the Azure service must support private endpoints, and the private endpoint must be created in a virtual network that has network connectivity to the service. If the service is in a different Azure region, ensure your virtual network has proper routing configured.

Key Use Cases

Private endpoints are ideal for scenarios where you need secure and private access to Azure services:

  • Accessing Azure SQL Database or Azure Database for PostgreSQL/MySQL from a virtual machine without exposing it to the internet.
  • Connecting to Azure Storage accounts for blobs, queues, or tables securely from your virtual network.
  • Enabling access to Azure Key Vault for managing secrets and keys privately.
  • Connecting to Azure Synapse Analytics or Azure Databricks workspaces securely.
  • Accessing Azure Cache for Redis without public endpoints.

Creating a Private Endpoint

You can create a private endpoint using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Using Azure CLI:

Here's a simplified example of creating a private endpoint for an Azure Storage account:

# Define variables
RESOURCE_GROUP="myResourceGroup"
VIRTUAL_NETWORK_NAME="myVNet"
SUBNET_NAME="mySubnet"
PRIVATE_ENDPOINT_NAME="myPrivateEndpoint"
STORAGE_ACCOUNT_NAME="mystorageaccount" # Replace with your storage account name
LOCATION="eastus"
GROUP_ID="blob" # For storage accounts, "blob" for blob storage, "file" for file storage, etc.

# Get the resource ID of the storage account
STORAGE_ACCOUNT_ID=$(az storage account show --name $STORAGE_ACCOUNT_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)

# Create the private endpoint
az network private-endpoint create \
  --name $PRIVATE_ENDPOINT_NAME \
  --resource-group $RESOURCE_GROUP \
  --location $LOCATION \
  --vnet-name $VIRTUAL_NETWORK_NAME \
  --subnet $SUBNET_NAME \
  --group-ids $GROUP_ID \
  --connection-name $STORAGE_ACCOUNT_NAME-conn \
  --private-connection-resource-id $STORAGE_ACCOUNT_ID

# Configure DNS (using Azure Private DNS Zone)
# This command assumes you have a private DNS zone for 'privatelink.blob.core.windows.net'
# and that it's linked to your VNet.
AZURE_DNS_ZONE_NAME="privatelink.blob.core.windows.net"
PRIVATE_DNS_ZONE_GROUP_NAME="myPrivateDnsZoneGroup"

az network private-dns zone create \
    --name $AZURE_DNS_ZONE_NAME \
    --resource-group $RESOURCE_GROUP \
    --output none

az network vnet dns-zone-group create \
    --resource-group $RESOURCE_GROUP \
    --name $PRIVATE_DNS_ZONE_GROUP_NAME \
    --private-zone $AZURE_DNS_ZONE_NAME \
    --vnet $VIRTUAL_NETWORK_NAME \
    --output none

az network private-endpoint dns-zone-group associate \
    --name $PRIVATE_DNS_ZONE_GROUP_NAME \
    --private-endpoint-name $PRIVATE_ENDPOINT_NAME \
    --resource-group $RESOURCE_GROUP \
    --private-zone $AZURE_DNS_ZONE_NAME

For detailed steps and options for other services, refer to the official Azure documentation.

Managing Private Endpoints

Once created, private endpoints can be managed through the Azure portal or CLI:

  • View Details: Inspect the private IP address, associated service, and network configuration.
  • Delete: Remove the private endpoint if it's no longer needed. This action will disconnect private access to the service.
  • Revoke Connections: You can revoke specific private endpoint connections from the service side.
Common Management Tasks

Deleting a Private Endpoint

To delete a private endpoint using Azure CLI:

az network private-endpoint delete --name myPrivateEndpoint --resource-group myResourceGroup

Viewing Private Endpoint Properties

az network private-endpoint show --name myPrivateEndpoint --resource-group myResourceGroup

Conclusion

Azure Private Endpoint is a fundamental service for securing your Azure deployments. By enabling private connectivity to PaaS services, it significantly enhances your security posture, simplifies network management, and helps meet stringent compliance requirements. Understanding and leveraging private endpoints is crucial for building secure, resilient, and performant cloud solutions on Azure.

Related Articles