Before I explain how to set up Azure Private Link, note these restrictions:
- This is currently a Preview feature, so support is limited.
- It is only available in East US and West US 2 at the time of writing.
- It is only available on PremiumV2 Windows and Linux web apps.
Create a virtual network ^
The private endpoint needs to be connected to a network, so we will need a virtual network to put it in. I recommend putting it in its own subnet within the VNet because we can't apply network security groups (NSG) to the private endpoint. However, we can apply NSGs to the subnet it is in. This is a useful way to secure access to the app from internal sources if needed.
For this demo, I have created a simple virtual network with a subnet in it, called "AppService."
Create an App Service ^
As mentioned above, this will need to be on a PremiumV2 plan in one of the two supported regions (East US and West US 2).
I have called this "PrivateLinkDemo," so we will be able to go to http://privatelinkdemo.azurewebsites.net/ from anywhere on the internet and get to the site. Don't worry, though; we will get to locking this down in a moment.
Create a virtual machine ^
This is a machine in the same VNet or a routable VNet. We will use this to test that the connection is working. Something small and simple with do for this. You just need to be able to RDP to it for the test, so it either needs to be routable across your network or have an external IP address.
Verify that the site is public ^
RDP to our new virtual machine on the Azure virtual network so we can test the site. You just have to go to http://privatelinkdemo.azurewebsites.net/. This will show us the default page for an Azure web app.
However, if we do an nslookup on the DNS name of the site, we see that we are looking at the site on the internet. Thus, the site is still available from the public internet.
Create the private endpoint for the web app ^
Now, if we navigate to the web app in the Azure portal, we should see an option for Networking in the left menu. Select this and click Configure your private endpoint connections.
This will take you to a page that shows you don't have any endpoints yet. Click the Add button on the top right and fill in the details you are prompted for. The name can be anything you like, and you will need to select the virtual network and subnet that you want the private link/web app to connect to.
After a few minutes, you will see the new private endpoint appear in the list.
Click the private endpoint link in the middle of the page that has the name you gave it. It will show you the details of the new private link.
Notice the new IP address of the private link in the virtual network we created.
Testing the blocked site ^
Now, if we retest the site from the virtual machine in the VNet, we will see that the site is blocked.
Notice that nslookup returns a new alias for the site:
Also, the IP address for the site is still the internet address, because the DNS servers don't know about this internal address. This is why the site appears to be blocked; because it now has a private link attached, it is only responding to traffic from the VNet and not the internet.
Testing the app once the private link is created
Create an Azure Private DNS Zone ^
The final step is to create an Azure Private DNS Zone. This can be done by using internal DNS servers or even with a 'hosts' file on the local machine for testing.
In the Azure Portal, search for "Private DNS Zones" and click the first item.
On the Private DNS Zones page, click the Create private DNS zone button in the middle of the page.
Fill in the Subscription and the Resource Group name. The Name field will need to be "privatelink.azurewebsites.net." This is the new domain that the alias for the site will point to.
Then click Create twice, and a new DNS Zone is created.
On the page that appears for the new DNS zone, click the + Record Set button at the top. This will prompt you for some details of the record you need to create. I've used "privatelinkdemo" for the name in this case and the IP Address of the new private link.
Now that we have a DNS zone and record, all we need to do is link that zone to the subnet with the private link. This will mean that anything in that subnet will be able to query the new records.
Select Virtual Network Links in the left menu, and then click the Add button at the top.
From here, you will need to give it a Name. This can be anything you like. Then add the subscription and the VNet we are linking it to. Then just click OK to make the connection to the VNet.
Test the Azure private link ^
Now that we have everything in place, let's run an ipconfig /flushdns on the test VM and run the test again:
Now the default page is showing for the web app and the nslookup is showing an internal IP address. All this means that we now have a web app running with a private link connected to our internal VNet.
Although there are a few steps involved with getting an Azure web app connected with an Azure private link, it's actually very simple. Once the first one is set up and running, the rest are quick and simple to spin up.
All this means you now have a simple target to migrate internal apps to, without security issues and with little or no maintenance.