Azure Private Link: Restrict access to Azure PaaS services from your intranet

Azure App Services are commonly used for hosting sites that are presented to anyone on the internet. How do we secure them, so that only internal staff can access them? This is where Azure Private Link comes in. Private Link works by giving your web app a private IP address on one of your internal VNets. This provides a route for inbound traffic (inbound to the app) from your VNet and any network that is routable from that VNet. However, this also isolates your app from the internet, so only traffic from the Private Link can get to it.

Before I explain how to set up Azure Private Link, note these restrictions:

  • This is currently a Preview feature, so support is limited.
  • It is only available in East US and West US 2 at the time of writing.
  • It is only available on PremiumV2 Windows and Linux web apps.

Create a virtual network ^

The private endpoint needs to be connected to a network, so we will need a virtual network to put it in. I recommend putting it in its own subnet within the VNet because we can't apply network security groups (NSG) to the private endpoint. However, we can apply NSGs to the subnet it is in. This is a useful way to secure access to the app from internal sources if needed.

For this demo, I have created a simple virtual network with a subnet in it, called "AppService."

Example of VNet creation for connecting the Private Link

Example of VNet creation for connecting the Private Link

Create an App Service ^

As mentioned above, this will need to be on a PremiumV2 plan in one of the two supported regions (East US and West US 2).

Create a simple app service to host the app

Create a simple app service to host the app

I have called this "PrivateLinkDemo," so we will be able to go to http://privatelinkdemo.azurewebsites.net/ from anywhere on the internet and get to the site. Don't worry, though; we will get to locking this down in a moment.

Create a virtual machine ^

This is a machine in the same VNet or a routable VNet. We will use this to test that the connection is working. Something small and simple with do for this. You just need to be able to RDP to it for the test, so it either needs to be routable across your network or have an external IP address.

Verify that the site is public ^

RDP to our new virtual machine on the Azure virtual network so we can test the site. You just have to go to http://privatelinkdemo.azurewebsites.net/. This will show us the default page for an Azure web app.

However, if we do an nslookup on the DNS name of the site, we see that we are looking at the site on the internet. Thus, the site is still available from the public internet.

Testing the app before we connect the Private Link

Testing the app before we connect the Private Link

Create the private endpoint for the web app ^

Now, if we navigate to the web app in the Azure portal, we should see an option for Networking in the left menu. Select this and click Configure your private endpoint connections.

Connecting the Azure Private Link

Connecting the Azure Private Link

This will take you to a page that shows you don't have any endpoints yet. Click the Add button on the top right and fill in the details you are prompted for. The name can be anything you like, and you will need to select the virtual network and subnet that you want the private link/web app to connect to.

Fill in the details of the Private Link

Fill in the details of the Private Link

After a few minutes, you will see the new private endpoint appear in the list.

The Private Link is created

The Private Link is created

Click the private endpoint link in the middle of the page that has the name you gave it. It will show you the details of the new private link.

Overview page showing the IP of the Private Link

Overview page showing the IP of the Private Link

Notice the new IP address of the private link in the virtual network we created.

Testing the blocked site ^

Now, if we retest the site from the virtual machine in the VNet, we will see that the site is blocked.

Notice that nslookup returns a new alias for the site:

privatelinkdemo.privatelink.azurewebsites.net

Also, the IP address for the site is still the internet address, because the DNS servers don't know about this internal address. This is why the site appears to be blocked; because it now has a private link attached, it is only responding to traffic from the VNet and not the internet.

Testing the app once the private link is created

Create an Azure Private DNS Zone ^

The final step is to create an Azure Private DNS Zone. This can be done by using internal DNS servers or even with a 'hosts' file on the local machine for testing.

In the Azure Portal, search for "Private DNS Zones" and click the first item.

Search for the Azure Private DNS Zone service

Search for the Azure Private DNS Zone service

On the Private DNS Zones page, click the Create private DNS zone button in the middle of the page.

Click Create Private DNS Zone

Click Create Private DNS Zone

Fill in the Subscription and the Resource Group name. The Name field will need to be "privatelink.azurewebsites.net." This is the new domain that the alias for the site will point to.

Then click Create twice, and a new DNS Zone is created.

Add the name of the new zone you are creating

Add the name of the new zone you are creating

On the page that appears for the new DNS zone, click the + Record Set button at the top. This will prompt you for some details of the record you need to create. I've used "privatelinkdemo" for the name in this case and the IP Address of the new private link.

Add the new record for the private link IP

Add the new record for the private link IP

Now that we have a DNS zone and record, all we need to do is link that zone to the subnet with the private link. This will mean that anything in that subnet will be able to query the new records.

Select Virtual Network Links in the left menu, and then click the Add button at the top.

Create the Private Link to the VNet

Create the Private Link to the VNet

From here, you will need to give it a Name. This can be anything you like. Then add the subscription and the VNet we are linking it to. Then just click OK to make the connection to the VNet.

Select the virtual network to connect to

Select the virtual network to connect to

Test the Azure private link ^

Now that we have everything in place, let's run an ipconfig /flushdns on the test VM and run the test again:

Test that our Private Link is connected and working

Test that our Private Link is connected and working

Now the default page is showing for the web app and the nslookup is showing an internal IP address. All this means that we now have a web app running with a private link connected to our internal VNet.

Conclusion ^

Although there are a few steps involved with getting an Azure web app connected with an Azure private link, it's actually very simple. Once the first one is set up and running, the rest are quick and simple to spin up.

All this means you now have a simple target to migrate internal apps to, without security issues and with little or no maintenance.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

1+
avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account