Azure Private Endpoints - CLI Scenarios

Implementing Private Endpoints with Azure CLI

Private endpoints provide a secure way to access Azure PaaS services and Azure-hosted on-premises services from within your Azure Virtual Network. They use a private IP address from your VNet, effectively putting the service inside your VNet.

What is a Private Endpoint?

A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. It enables you to use private IP addresses from your Virtual Network (VNet), effectively bringing the service into your VNet. This is crucial for enhancing security by minimizing public network exposure.

Benefits of Private Endpoints:

Enhanced Security: Traffic stays within the Azure network backbone, avoiding exposure to the public internet.
Simplified Network Architecture: Reduces the need for complex VNet peering or VPNs for accessing PaaS services.
Private IP Addressing: Services are accessible via private IP addresses, making them appear as if they are part of your VNet.
Access Control: Integrates with VNet security policies, NSGs, and firewalls.

Common Scenarios

Private endpoints are commonly used to:

Securely connect to Azure Storage accounts without exposing them to the public internet.
Access Azure SQL Database or Azure Synapse Analytics from a private network.
Connect to Azure Key Vault for secret management without public exposure.
Allow on-premises applications to access Azure services securely via Azure ExpressRoute or VPN Gateway.

Creating a Private Endpoint using Azure CLI

The process involves creating a Private Endpoint resource and linking it to a specific Azure resource (the 'target service'). You'll also need a Network Interface (NIC) to associate with the private endpoint, which will receive the private IP address.

Prerequisites:

An Azure Subscription.
The Azure CLI installed and configured.
A Virtual Network and a Subnet where the private endpoint will reside.
The target Azure resource (e.g., Storage Account, SQL Server) must be accessible via Private Link.

Example: Creating a Private Endpoint for Azure Storage

Step 1: Define Variables

Set up variables for your resource group, VNet, subnet, storage account, and the desired region.


    RESOURCE_GROUP="myResourceGroup"
    VNET_NAME="myVNet"
    SUBNET_NAME="mySubnet"
    STORAGE_ACCOUNT_NAME="mystorageaccount" # Replace with your storage account name
    PRIVATE_ENDPOINT_NAME="myPrivateEndpoint"
    LOCATION="eastus"
    TARGET_RESOURCE_ID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT_NAME"
    MANUAL_APGW_SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # Subscription ID of the target resource if different
    MANUAL_APGW_RESOURCE_GROUP="myTargetResourceGroup" # Resource group of the target resource if different

Step 2: Create the Private Endpoint

Use the az network private-endpoint create command. You'll need to specify the subnet, the group ID for the target service (e.g., 'Microsoft.Storage/storageAccounts' for storage), and the resource ID of the target service. The --connection-name parameter is important for identifying the connection on the target service side.


    az network private-endpoint create \
        --name $PRIVATE_ENDPOINT_NAME \
        --resource-group $RESOURCE_GROUP \
        --location $LOCATION \
        --subnet "$VNET_NAME/$SUBNET_NAME" \
        --private-connection-resource-id $TARGET_RESOURCE_ID \
        --group-ids "blob" "file" "queue" "table" \
        --connection-name "privatelinkconnection" \
        --manual-request false # Set to true if you need manual approval on the service side
    
    # If the target resource is in a different subscription or resource group, you may need to specify them
    # --manual-request true \
    # --manual-request-owner "/subscriptions/$MANUAL_APGW_SUBSCRIPTION_ID/resourceGroups/$MANUAL_APGW_RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT_NAME"

Step 3: Get Private Endpoint Details

Retrieve the private IP address assigned to the private endpoint.


    PRIVATE_IP=$(az network private-endpoint show \
        --name $PRIVATE_ENDPOINT_NAME \
        --resource-group $RESOURCE_GROUP \
        --query 'networkInterfaces[0].ipConfigurations[0].privateIpAddress' \
        --output tsv)
    
    echo "Private Endpoint Name: $PRIVATE_ENDPOINT_NAME"
    echo "Private IP Address: $PRIVATE_IP"

Step 4: Configure DNS Resolution

For your applications to resolve the service name to the private IP, you need to configure DNS. This typically involves creating a private DNS zone or updating your existing DNS records.

Option A: Using Azure Private DNS Zones

This is the recommended approach for Azure-managed services.


    # Example for Azure Storage (blob endpoint)
    PRIVATE_DNS_ZONE_NAME="privatelink.blob.core.windows.net"
    DNS_RECORD_NAME="mystorageaccount" # The FQDN of your storage account, e.g., mystorageaccount.blob.core.windows.net
    
    az network private-dns zone create \
        --name $PRIVATE_DNS_ZONE_NAME \
        --resource-group $RESOURCE_GROUP
    
    # Link the VNet to the Private DNS Zone
    az network private-dns link vnet create \
        --name "myDnsLink" \
        --resource-group $RESOURCE_GROUP \
        --zone-name $PRIVATE_DNS_ZONE_NAME \
        --target-virtual-network "$VNET_NAME" \
        --registration-enabled false # Set to true if you want auto-registration
    
    # Create the A record
    az network private-dns record-set a add-record \
        --resource-group $RESOURCE_GROUP \
        --zone-name $PRIVATE_DNS_ZONE_NAME \
        --record-set-name $DNS_RECORD_NAME \
        --ipv4-address $PRIVATE_IP
    
    echo "Private DNS Zone '$PRIVATE_DNS_ZONE_NAME' created and linked to '$VNET_NAME'."
    echo "A record for '$DNS_RECORD_NAME' pointing to '$PRIVATE_IP' created."

Option B: Manual DNS configuration (e.g., on-premises DNS servers)

You would manually create an A record pointing the service's FQDN (e.g., mystorageaccount.blob.core.windows.net) to the obtained $PRIVATE_IP.

Managing Existing Private Endpoints

List Private Endpoints: az network private-endpoint list -g <resource-group>
Show Details: az network private-endpoint show -g <resource-group> -n <private-endpoint-name>
Delete: az network private-endpoint delete -g <resource-group> -n <private-endpoint-name>

Important Considerations

Ensure the group-ids parameter correctly matches the service type you are targeting.
DNS resolution is critical for successful private endpoint connectivity.
Review the connection status on the target Azure service to confirm the private endpoint connection is approved (if manual approval is enabled).
Private endpoints are associated with a specific NIC, which inherits settings from the subnet.