0
0
Azurecloud~5 mins

Private Link for secure service access in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes you want to connect to a cloud service without sending data over the public internet. Private Link lets you create a private connection to Azure services, keeping your data safe and private.
When you want to access an Azure Storage account securely from your virtual network without exposing it to the internet.
When your app needs to connect to an Azure SQL Database privately to avoid public IP exposure.
When you want to connect to Azure services from on-premises networks through VPN or ExpressRoute privately.
When you need to restrict access to your service to only specific virtual networks.
When you want to avoid data leakage risks by keeping traffic inside the Azure backbone network.
Config File - private_endpoint.yaml
private_endpoint.yaml
apiVersion: network.azure.com/v1
kind: PrivateEndpoint
metadata:
  name: my-private-endpoint
  namespace: example-namespace
spec:
  location: eastus
  subnet:
    id: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
  privateLinkServiceConnections:
  - name: my-privatelink-connection
    privateLinkServiceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount
    groupIds:
    - blob
    requestMessage: "Please approve my connection request"

This YAML file defines a Private Endpoint resource in Azure.

  • location: The Azure region where the endpoint is created.
  • subnet.id: The subnet in your virtual network where the private endpoint will be placed.
  • privateLinkServiceConnections: The connection to the Azure service, here a Storage Account.
  • groupIds: The service group to connect to, like 'blob' for Azure Blob Storage.
  • requestMessage: A message sent to the service owner for approval.
Commands
This command creates a Private Endpoint named 'my-private-endpoint' in the specified resource group and virtual network subnet. It connects privately to the Azure Storage account's blob service.
Terminal
az network private-endpoint create --name my-private-endpoint --resource-group myResourceGroup --vnet-name myVnet --subnet mySubnet --private-connection-resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount --group-ids blob --connection-name my-privatelink-connection
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint", "location": "eastus", "name": "my-private-endpoint", "privateLinkServiceConnections": [ { "name": "my-privatelink-connection", "privateLinkServiceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount", "groupIds": [ "blob" ], "requestMessage": null, "status": "Pending" } ], "provisioningState": "Succeeded", "resourceGroup": "myResourceGroup", "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" }, "type": "Microsoft.Network/privateEndpoints" }
--name - Sets the name of the private endpoint.
--resource-group - Specifies the resource group where the endpoint is created.
--private-connection-resource-id - The full resource ID of the Azure service to connect privately.
This command shows details of the created Private Endpoint to verify its status and configuration.
Terminal
az network private-endpoint show --name my-private-endpoint --resource-group myResourceGroup
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint", "location": "eastus", "name": "my-private-endpoint", "provisioningState": "Succeeded", "privateLinkServiceConnections": [ { "name": "my-privatelink-connection", "status": "Approved" } ], "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" } }
--name - Specifies the private endpoint to show.
--resource-group - Specifies the resource group of the private endpoint.
This command links the Private Endpoint to a Private DNS Zone so that your virtual network can resolve the private IP address of the service.
Terminal
az network private-endpoint dns-zone-group create --resource-group myResourceGroup --endpoint-name my-private-endpoint --name my-dns-zone-group --private-dns-zone /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateDnsZones/blob.core.windows.net --zone-name blob.core.windows.net
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint/privateDnsZoneGroups/my-dns-zone-group", "name": "my-dns-zone-group", "provisioningState": "Succeeded", "privateDnsZoneConfigs": [ { "name": "blob.core.windows.net", "privateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateDnsZones/blob.core.windows.net" } ] }
--resource-group - Resource group of the private endpoint.
--endpoint-name - Name of the private endpoint.
--private-dns-zone - Resource ID of the private DNS zone to link.
Key Concept

If you remember nothing else from this pattern, remember: Private Link creates a private network connection to Azure services, keeping your data off the public internet.

Common Mistakes
Trying to create a Private Endpoint in a subnet that has a network security group blocking required traffic.
The Private Endpoint needs certain network traffic allowed to function; blocking it causes connection failures.
Ensure the subnet's network security group allows inbound and outbound traffic for Private Link services.
Not linking the Private Endpoint to a Private DNS Zone, causing name resolution to fail.
Without DNS integration, your virtual network cannot resolve the private IP address of the service.
Create and link a Private DNS Zone to the Private Endpoint for proper name resolution.
Using the public endpoint of the Azure service instead of the private endpoint in your application configuration.
This causes traffic to go over the public internet, defeating the purpose of Private Link.
Update your app to use the private endpoint DNS name or IP address provided by Private Link.
Summary
Create a Private Endpoint in your virtual network subnet to connect privately to an Azure service.
Verify the Private Endpoint status to ensure it is approved and connected.
Link the Private Endpoint to a Private DNS Zone for proper name resolution inside your network.