Microsoft Docs

Learn, discover, and master Microsoft products and services.

Configure Private Link with Azure Virtual WAN

This document guides you through the process of configuring Private Link with Azure Virtual WAN, enabling secure and private access to your Azure PaaS services and applications without traversing the public internet.

Prerequisites

Before you begin, ensure you have the following:

  • An existing Azure Virtual WAN resource.
  • An Azure Virtual Network (VNet) that you want to connect to the Private Link service.
  • Permissions to create and manage Private Link services and Virtual WAN resources.

Steps to Configure Private Link

Follow these steps to set up Private Link for your Virtual WAN environment:

Using Azure CLI

You can use the Azure CLI to automate the configuration. Below is an example of how to create a Private Endpoint and associate it with a Virtual WAN Hub.


az network private-endpoint create \
    --name MyPrivateEndpoint \
    --resource-group MyResourceGroup \
    --vnet-name MyVnet \
    --subnet MySubnet \
    --private-connection-resource-id "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MY_RESOURCE_GROUP/providers/Microsoft.Network/privateLinkServices/MyPrivateLinkService" \
    --group-ids your_resource_provider_group_id \
    --location eastus \
    --connection-name MyPrivateEndpointConnection

az network vnet peering create \
    --name "VnetPeeringToHub" \
    --resource-group MyResourceGroup \
    --vnet-name MyVnet \
    --remote-vnet "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/HUB_RESOURCE_GROUP/providers/Microsoft.Network/virtualHubs/MyVirtualHub" \
    --allow-vnet-to-vnet true

# Note: This is a simplified example. Actual commands may vary based on your specific service and setup.

For detailed commands, refer to the Azure CLI documentation for Private Link.

Using Azure PowerShell

Azure PowerShell provides cmdlets to manage your Azure resources. Here's how you can create a Private Endpoint:


$privateEndpoint = New-AzPrivateEndpoint -Name "MyPrivateEndpoint" -ResourceGroupName "MyResourceGroup" `
    -Location "East US" -Subnet $subnet `
    -PrivateLinkServiceId "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MY_RESOURCE_GROUP/providers/Microsoft.Network/privateLinkServices/MyPrivateLinkService" `
    -PrivateConnectionServiceResourceId "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MY_RESOURCE_GROUP/providers/Microsoft.Network/privateLinkServices/MyPrivateLinkService"

$privateEndpoint | Out-Null

# To ensure connectivity through Virtual WAN, you'll typically configure VNet peering.
# This is managed separately within the Virtual WAN hub configuration.

Refer to the Azure PowerShell documentation for Private Link for more options.

Using Azure Portal

  1. Navigate to the Azure portal (portal.azure.com).
  2. Search for and select Private Link.
  3. Click Create a private endpoint.
  4. On the Basics tab:
    • Select your Subscription and Resource group.
    • Provide a Name for the private endpoint.
    • Choose the Region.
  5. On the Resource tab:
    • Select the connection method (e.g., "Connect to an Azure service").
    • Choose the Subscription, Resource type, and the specific resource you want to connect to.
  6. On the Configuration tab:
    • Select the Virtual Network and Subnet from your Virtual WAN connected VNet.
    • Configure the Private DNS integration as needed.
  7. Review and create the private endpoint.

After creating the Private Endpoint, ensure your Virtual WAN hub is correctly configured to route traffic to this Private Endpoint.

Routing Considerations

When using Private Link with Virtual WAN, ensure your routing tables within the Virtual WAN hub are configured to direct traffic destined for the Private Endpoint to the correct VNet. This typically involves:

  • Configuring VNet connections to the Virtual WAN hub.
  • Ensuring effective route propagation and association within the hub.
  • Verifying DNS resolution for the Private Endpoint.
Important: Private Link is designed for private connectivity. Ensure that firewall rules and network security groups (NSGs) on your connected VNets and the target service are configured to allow traffic from the Private Endpoint.

Common Scenarios

  • Accessing Azure Storage privately.
  • Securing access to Azure SQL Database.
  • Connecting to Azure Key Vault from private networks.

Next Steps

Once your Private Link is configured, you can proceed with:

  • Testing connectivity to your private endpoint.
  • Monitoring Private Link usage and performance.
  • Exploring advanced Private Link configurations.
Tip: For comprehensive details on Private Link, consult the Azure Private Link documentation.