Process Flow - Private endpoints concept

Create Private Endpoint

↓

Assign to VNet Subnet

↓

Connect to Azure Service Privately

↓

Traffic Routed via Private IP

↓

Secure Access without Public Internet

This flow shows how a private endpoint is created and linked to a virtual network subnet, enabling private and secure access to an Azure service without using the public internet.

Execution Sample

Azure

az network private-endpoint create \
  --name myPrivateEndpoint \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --subnet mySubnet \
  --private-connection-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/mystorage \
  --group-ids blob \
  --connection-name myConnection

This command creates a private endpoint in a subnet to connect privately to an Azure Storage account's blob service.

Process Table

Step	Action	Resource State Change	Network Behavior
1	Create private endpoint resource	Private endpoint resource created but not linked	No traffic routed yet
2	Assign private endpoint to VNet subnet	Private endpoint linked to subnet with private IP	Subnet now has private IP for endpoint
3	Connect private endpoint to Azure service	Private link connection established	Traffic to service routes via private IP
4	Use private endpoint from VM in subnet	No resource change	Traffic flows privately, no public internet used
5	Delete private endpoint	Private endpoint resource removed	Traffic reverts to public endpoint if available

💡 Private endpoint deleted or disconnected, private traffic routing stops

Status Tracker

Variable	Start	After Step 1	After Step 2	After Step 3	After Step 4	Final
PrivateEndpointResource	None	Created	Linked to subnet	Connected to service	Active and routing traffic	Deleted
PrivateIP	None	None	Assigned in subnet	Used for service traffic	Used for service traffic	Released
TrafficRoute	Public internet	Public internet	Public internet	Private IP route	Private IP route	Public internet or disconnected

Key Moments - 3 Insights

Why does traffic route through a private IP after creating the private endpoint?

Does creating a private endpoint immediately change network traffic?

What happens to traffic if the private endpoint is deleted?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, at which step is the private IP assigned to the subnet?

AStep 2

BStep 1

CStep 3

DStep 4

Concept Snapshot

Private endpoints create a private IP in your virtual network subnet.
This private IP connects securely to an Azure service.
Traffic to the service routes privately, avoiding the public internet.
You create them by linking a private endpoint resource to a subnet and service.
Deleting the endpoint removes private routing.
Use private endpoints to enhance security and reduce exposure.

Full Transcript

Private endpoints in Azure allow you to connect privately and securely to Azure services by assigning a private IP address within your virtual network subnet. The process starts by creating a private endpoint resource, then linking it to a subnet, and finally connecting it to the Azure service. Once connected, traffic from your resources in the subnet routes through this private IP, avoiding the public internet and enhancing security. If the private endpoint is deleted, the private IP and connection are removed, and traffic reverts to the public endpoint if available. This setup helps keep your data secure and isolated within your network.