Introduction

Sometimes you want to connect to a cloud service without using the public internet. Private endpoints let you do this by creating a private connection inside your network. This keeps your data safer and faster.

When you want to connect your app to a database without exposing it to the internet.

When you need to access storage accounts securely from your virtual network.

When you want to limit access to cloud services only from your private network.

When you want to avoid data transfer over the public internet for compliance reasons.

When you want to reduce exposure to internet-based attacks on your cloud resources.

Config File - private-endpoint.json

private-endpoint.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "privateEndpointName": {
      "type": "string",
      "defaultValue": "myPrivateEndpoint"
    },
    "vnetName": {
      "type": "string",
      "defaultValue": "myVnet"
    },
    "subnetName": {
      "type": "string",
      "defaultValue": "mySubnet"
    },
    "resourceGroupName": {
      "type": "string",
      "defaultValue": "example-resource-group"
    },
    "privateLinkServiceId": {
      "type": "string",
      "defaultValue": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount"
    },
    "groupIds": {
      "type": "array",
      "defaultValue": ["blob"]
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/privateEndpoints",
      "apiVersion": "2021-05-01",
      "name": "[parameters('privateEndpointName')]",
      "location": "eastus",
      "properties": {
        "subnet": {
          "id": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnetName'))]"
        },
        "privateLinkServiceConnections": [
          {
            "name": "myConnection",
            "properties": {
              "privateLinkServiceId": "[parameters('privateLinkServiceId')]",
              "groupIds": ["blob"],
              "requestMessage": "Please approve my connection"
            }
          }
        ]
      }
    }
  ]
}

This JSON is an Azure Resource Manager template that creates a private endpoint.

privateEndpointName: The name of the private endpoint resource.

vnetName and subnetName: Specify where the private endpoint will be placed inside your virtual network.

privateLinkServiceId: The resource ID of the service you want to connect privately, like a storage account.

groupIds: The specific service group to connect to, such as 'blob' for storage blobs.

The template creates a private endpoint that connects your virtual network subnet to the specified service privately.

Commands

This command creates a private endpoint named 'myPrivateEndpoint' in the 'example-resource-group'. It connects the subnet 'mySubnet' inside the virtual network 'myVnet' to the storage account privately. The group id 'blob' specifies the service type.

Terminal

az network private-endpoint create --name myPrivateEndpoint --resource-group example-resource-group --vnet-name myVnet --subnet mySubnet --private-connection-resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount --group-ids blob --location eastus

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint", "location": "eastus", "name": "myPrivateEndpoint", "properties": { "customDnsConfigs": [], "ipConfigurations": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint/ipConfigurations/ipconfig1", "properties": { "privateIpAddress": "10.0.1.5", "privateIpAllocationMethod": "Dynamic", "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" } }, "name": "ipconfig1" } ], "privateLinkServiceConnections": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint/privateLinkServiceConnections/myConnection", "properties": { "privateLinkServiceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount", "groupIds": [ "blob" ], "requestMessage": "Please approve my connection", "status": "Pending" }, "name": "myConnection" } ], "provisioningState": "Succeeded" }, "type": "Microsoft.Network/privateEndpoints" }

→

--name - Sets the name of the private endpoint.

→

--resource-group - Specifies the resource group where the endpoint is created.

→

--private-connection-resource-id - The resource ID of the service to connect privately.

This command lists all private endpoints in the 'example-resource-group' to verify the creation.

Terminal

az network private-endpoint list --resource-group example-resource-group

Expected OutputExpected

[ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint", "location": "eastus", "name": "myPrivateEndpoint", "properties": { "provisioningState": "Succeeded" }, "type": "Microsoft.Network/privateEndpoints" } ]

→

--resource-group - Filters the list to the specified resource group.

This command approves the private endpoint connection request from the storage account side, allowing the private link to be active.

Terminal

az network private-endpoint-connection approve --resource-group example-resource-group --name mystorageaccount --private-endpoint-connection-name myConnection --description "Approving private endpoint connection"

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount/privateEndpointConnections/myConnection", "name": "myConnection", "properties": { "privateEndpoint": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint" }, "privateLinkServiceConnectionState": { "actionsRequired": "None", "description": "Approved by user", "status": "Approved" }, "provisioningState": "Succeeded" }, "type": "Microsoft.Storage/storageAccounts/privateEndpointConnections" }

→

--resource-group - Specifies the resource group of the storage account.

→

--name - The name of the storage account.

→

--private-endpoint-connection-name - The name of the private endpoint connection to approve.

This command shows detailed information about the private endpoint to confirm its status and IP address.

Terminal

az network private-endpoint show --resource-group example-resource-group --name myPrivateEndpoint

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint", "location": "eastus", "name": "myPrivateEndpoint", "properties": { "ipConfigurations": [ { "properties": { "privateIpAddress": "10.0.1.5", "privateIpAllocationMethod": "Dynamic" }, "name": "ipconfig1" } ], "provisioningState": "Succeeded", "privateLinkServiceConnections": [ { "properties": { "privateLinkServiceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount", "privateLinkServiceConnectionState": { "status": "Approved", "description": "Approved by user", "actionsRequired": "None" } }, "name": "myConnection" } ] }, "type": "Microsoft.Network/privateEndpoints" }

→

--resource-group - Specifies the resource group of the private endpoint.

→

--name - The name of the private endpoint to show.

Key Concept

If you remember nothing else from this pattern, remember: private endpoints let you connect cloud services securely inside your network without using the public internet.

Common Mistakes

Not approving the private endpoint connection from the service side after creating it.

The private endpoint remains in a pending state and cannot be used until approved.

Run the approval command to accept the connection request from the service.

Creating the private endpoint in a subnet that has a network security group blocking required traffic.

The private endpoint cannot communicate properly, causing connection failures.

Ensure the subnet allows necessary traffic for private endpoint communication.

Using incorrect resource IDs or group IDs when creating the private endpoint.

The private endpoint will not connect to the intended service, causing errors.

Double-check and use the exact resource ID and correct group IDs for the target service.

Summary

Create a private endpoint to connect your virtual network subnet privately to a cloud service.

Approve the private endpoint connection from the service side to activate it.

Verify the private endpoint status and IP address to confirm successful setup.