Bird
Raised Fist0
Azurecloud~5 mins

Private Link for secure service access in Azure - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you want to connect to a cloud service without sending data over the public internet. Private Link lets you create a private connection to Azure services, keeping your data safe and private.
When you want to access an Azure Storage account securely from your virtual network without exposing it to the internet.
When your app needs to connect to an Azure SQL Database privately to avoid public IP exposure.
When you want to connect to Azure services from on-premises networks through VPN or ExpressRoute privately.
When you need to restrict access to your service to only specific virtual networks.
When you want to avoid data leakage risks by keeping traffic inside the Azure backbone network.
Config File - private_endpoint.yaml
private_endpoint.yaml
apiVersion: network.azure.com/v1
kind: PrivateEndpoint
metadata:
  name: my-private-endpoint
  namespace: example-namespace
spec:
  location: eastus
  subnet:
    id: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
  privateLinkServiceConnections:
  - name: my-privatelink-connection
    privateLinkServiceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount
    groupIds:
    - blob
    requestMessage: "Please approve my connection request"

This YAML file defines a Private Endpoint resource in Azure.

  • location: The Azure region where the endpoint is created.
  • subnet.id: The subnet in your virtual network where the private endpoint will be placed.
  • privateLinkServiceConnections: The connection to the Azure service, here a Storage Account.
  • groupIds: The service group to connect to, like 'blob' for Azure Blob Storage.
  • requestMessage: A message sent to the service owner for approval.
Commands
This command creates a Private Endpoint named 'my-private-endpoint' in the specified resource group and virtual network subnet. It connects privately to the Azure Storage account's blob service.
Terminal
az network private-endpoint create --name my-private-endpoint --resource-group myResourceGroup --vnet-name myVnet --subnet mySubnet --private-connection-resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount --group-ids blob --connection-name my-privatelink-connection
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint", "location": "eastus", "name": "my-private-endpoint", "privateLinkServiceConnections": [ { "name": "my-privatelink-connection", "privateLinkServiceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount", "groupIds": [ "blob" ], "requestMessage": null, "status": "Pending" } ], "provisioningState": "Succeeded", "resourceGroup": "myResourceGroup", "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" }, "type": "Microsoft.Network/privateEndpoints" }
--name - Sets the name of the private endpoint.
--resource-group - Specifies the resource group where the endpoint is created.
--private-connection-resource-id - The full resource ID of the Azure service to connect privately.
This command shows details of the created Private Endpoint to verify its status and configuration.
Terminal
az network private-endpoint show --name my-private-endpoint --resource-group myResourceGroup
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint", "location": "eastus", "name": "my-private-endpoint", "provisioningState": "Succeeded", "privateLinkServiceConnections": [ { "name": "my-privatelink-connection", "status": "Approved" } ], "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" } }
--name - Specifies the private endpoint to show.
--resource-group - Specifies the resource group of the private endpoint.
This command links the Private Endpoint to a Private DNS Zone so that your virtual network can resolve the private IP address of the service.
Terminal
az network private-endpoint dns-zone-group create --resource-group myResourceGroup --endpoint-name my-private-endpoint --name my-dns-zone-group --private-dns-zone /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateDnsZones/blob.core.windows.net --zone-name blob.core.windows.net
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateEndpoints/my-private-endpoint/privateDnsZoneGroups/my-dns-zone-group", "name": "my-dns-zone-group", "provisioningState": "Succeeded", "privateDnsZoneConfigs": [ { "name": "blob.core.windows.net", "privateDnsZoneId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateDnsZones/blob.core.windows.net" } ] }
--resource-group - Resource group of the private endpoint.
--endpoint-name - Name of the private endpoint.
--private-dns-zone - Resource ID of the private DNS zone to link.
Key Concept

If you remember nothing else from this pattern, remember: Private Link creates a private network connection to Azure services, keeping your data off the public internet.

Common Mistakes
Trying to create a Private Endpoint in a subnet that has a network security group blocking required traffic.
The Private Endpoint needs certain network traffic allowed to function; blocking it causes connection failures.
Ensure the subnet's network security group allows inbound and outbound traffic for Private Link services.
Not linking the Private Endpoint to a Private DNS Zone, causing name resolution to fail.
Without DNS integration, your virtual network cannot resolve the private IP address of the service.
Create and link a Private DNS Zone to the Private Endpoint for proper name resolution.
Using the public endpoint of the Azure service instead of the private endpoint in your application configuration.
This causes traffic to go over the public internet, defeating the purpose of Private Link.
Update your app to use the private endpoint DNS name or IP address provided by Private Link.
Summary
Create a Private Endpoint in your virtual network subnet to connect privately to an Azure service.
Verify the Private Endpoint status to ensure it is approved and connected.
Link the Private Endpoint to a Private DNS Zone for proper name resolution inside your network.

Practice

(1/5)
1. What is the main benefit of using Azure Private Link for service access?
easy
A. It allows secure access to Azure services using private IP addresses within your virtual network.
B. It provides public internet access to Azure services with encryption.
C. It automatically scales Azure services based on traffic.
D. It creates a VPN connection between on-premises and Azure.

Solution

  1. Step 1: Understand Private Link purpose

    Private Link connects Azure services privately using private IPs inside your virtual network.

  2. Step 2: Compare options

    Only It allows secure access to Azure services using private IP addresses within your virtual network. describes private, secure access using private IPs. Others describe different features.

  3. Final Answer:

    It allows secure access to Azure services using private IP addresses within your virtual network. -> Option A

  4. Quick Check:

    Private Link = Private IP secure access [OK]
Hint: Private Link means private IP inside your network [OK]
Common Mistakes:
  • Confusing Private Link with VPN or public internet access
  • Thinking Private Link automatically scales services
  • Assuming Private Link creates a VPN
2. Which of the following is the correct way to create a Private Endpoint in Azure CLI?
easy
A. az storage account create --name MyPE --resource-group MyRG --location eastus
B. az network vnet create --name MyPE --resource-group MyRG --subnet MySubnet
C. az network private-endpoint create --name MyPE --resource-group MyRG --vnet-name MyVNet --subnet MySubnet --private-connection-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/mystorage --group-ids blob
D. az network private-link create --name MyPE --resource-group MyRG

Solution

  1. Step 1: Identify Private Endpoint creation command

    The correct Azure CLI command to create a Private Endpoint is az network private-endpoint create with required parameters.

  2. Step 2: Verify parameters

    az network private-endpoint create --name MyPE --resource-group MyRG --vnet-name MyVNet --subnet MySubnet --private-connection-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/mystorage --group-ids blob uses correct command and parameters including resource ID and group IDs for the service.

  3. Final Answer:

    az network private-endpoint create with proper parameters -> Option C

  4. Quick Check:

    Private Endpoint creation uses az network private-endpoint create [OK]
Hint: Private Endpoint uses 'az network private-endpoint create' command [OK]
Common Mistakes:
  • Using vnet create instead of private-endpoint create
  • Confusing storage account creation with Private Endpoint
  • Using non-existent 'private-link create' command
3. Given this Azure CLI command output snippet for a Private Endpoint: 
{
  "privateLinkServiceConnections": [
    {
      "name": "connection1",
      "privateLinkServiceId": "/subscriptions/abc/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/pls1",
      "status": "Approved"
    }
  ]
}
What does the status "Approved" indicate?
medium
A. The Private Endpoint connection request is pending approval.
B. The Private Endpoint is deleted.
C. The Private Endpoint connection request was rejected.
D. The Private Endpoint connection request has been accepted and is active.

Solution

  1. Step 1: Understand status field meaning

    The status "Approved" means the connection request was accepted and is active.

  2. Step 2: Eliminate other options

    "Pending" means waiting, "Rejected" means denied, "Deleted" means removed. Only "Approved" means active connection.

  3. Final Answer:

    The Private Endpoint connection request has been accepted and is active. -> Option D

  4. Quick Check:

    Status Approved = Active connection [OK]
Hint: Approved status means connection is active [OK]
Common Mistakes:
  • Confusing Approved with Pending or Rejected
  • Assuming Approved means deleted or inactive
  • Ignoring the status field meaning
4. You created a Private Endpoint but cannot access the Azure Storage account privately. Which of the following is a likely misconfiguration?
medium
A. The Private Endpoint subnet does not have network policies disabled for Private Link.
B. The Storage account is in the same region as the Private Endpoint.
C. The Private Endpoint has a valid approved connection status.
D. The virtual network has enough IP addresses.

Solution

  1. Step 1: Check Private Endpoint subnet network policies

    For Private Link to work, the subnet must have network policies disabled to allow private IP traffic.

  2. Step 2: Analyze other options

    Same region is normal, approved status is good, and enough IPs is required but less likely cause of access failure.

  3. Final Answer:

    The Private Endpoint subnet does not have network policies disabled for Private Link. -> Option A

  4. Quick Check:

    Subnet network policies must be disabled for Private Link [OK]
Hint: Disable subnet network policies for Private Link [OK]
Common Mistakes:
  • Ignoring subnet network policies setting
  • Assuming region mismatch causes access failure
  • Overlooking connection status correctness
5. You want to securely connect your on-premises network to an Azure SQL Database using Private Link. Which combination of Azure components should you configure to achieve this?
hard
A. Create a Public Endpoint for Azure SQL Database and use firewall rules to restrict IPs.
B. Create a Private Endpoint for the Azure SQL Database in a virtual network, then connect your on-premises network to that virtual network via VPN or ExpressRoute.
C. Use Azure Bastion to connect to the Azure SQL Database securely.
D. Create a Virtual Network Gateway and connect directly to the Azure SQL Database without Private Endpoint.

Solution

  1. Step 1: Understand Private Link for on-premises access

    Private Link requires a Private Endpoint in a virtual network to provide private IP access to Azure SQL Database.

  2. Step 2: Connect on-premises to Azure VNet

    To access the Private Endpoint from on-premises, you must connect your on-premises network to the Azure virtual network using VPN or ExpressRoute.

  3. Step 3: Evaluate other options

    Public Endpoint with firewall is less secure, Azure Bastion is for VM access, and Virtual Network Gateway alone doesn't provide Private Link.

  4. Final Answer:

    Create a Private Endpoint for the Azure SQL Database in a virtual network, then connect your on-premises network to that virtual network via VPN or ExpressRoute. -> Option B

  5. Quick Check:

    Private Endpoint + VPN/ExpressRoute = Secure on-premises access [OK]
Hint: Private Endpoint plus VPN/ExpressRoute connects on-premises securely [OK]
Common Mistakes:
  • Using public endpoints instead of Private Link for security
  • Confusing Azure Bastion with Private Link usage
  • Assuming Virtual Network Gateway alone provides Private Link