Azure Private Link is a new service that enables you to connect to specific Azure endpoints through the Microsoft internal backbone, avoiding data transfer through the public internet. In this post, I will explain how to create and manage an Azure Private Link in the portal and with PowerShell.

Baki Onur Okutucu

Onur is a subject matter expert for Office 365, Azure, and PowerShell technologies. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For ten years in a row, Microsoft has recognized him as a Most Valuable Professional. You can follow Onur on Twitter: @BakiOnur.

Although numerous security tools and data protection techniques are being used out there, the question of whether the connection to your data will go over the internet may still make you think twice before signing up for a service. With Azure Private Link, you are now able to connect to Azure services such as Azure SQL Servers or storage accounts internally from your Azure VM or even your on-prem servers as long as your machine is connected to Azure via VPN or Express Route. This also means you no longer need to have a public IP address or a gateway to access to such resources.

The main difference between VNet service endpoints and Azure Private Link is that the VNet service endpoints are enabled at the subnet level in a VNet. This means they can't be used between on-premises and Azure services through Azure ExpressRoute private peering or a VPN gateway.

So how can you enable Private Link and use it, then?

Deploying Azure Private Link via the Azure Portal ^

In this scenario, I will be using an Azure VM to connect to an Azure SQL Server database and a blob storage account via a private IP address. Before trying out the Private Link service, please note the service is now in Preview mode and is supported for only the following regions:

ServiceAvailable regions
Azure StorageEastern US, Western US, Western Central US
Azure Data Lake Storage Gen2Eastern US, Western US, Western Central US
Azure SQL DatabaseWestern Central US; Western US; Southern Central US; Eastern US; Northern Central US
Azure SQL Data WarehouseWestern Central US; Western US; Southern Central US; Eastern US; Northern Central US

Available regions for Azure Private Link

I will create two Azure Private Links via the Azure portal. One of these is for the blob storage and the other is for the SQL Server database. Note that these two services I'm using in my lab are in the Eastern US region. Therefore, the VNet and the VM I'll be using to test the private link are in the same region.

The Private Link service can be deployed via the Azure portal

The Private Link service can be deployed via the Azure portal

The configuration for creating a private link for blob storage and a SQL Server database is as follows, respectively:

For the blob storage:

Sample configuration for creating a private link for blob storage

Sample configuration for creating a private link for blob storage

For a SQL Server:

Sample configuration for creating a private link for a SQL Server database

Sample configuration for creating a private link for a SQL Server database

Once the private link has been created, we can examine the configuration at the resource level. Supported services such as storage accounts and SQL Servers now have a new section in their blades that shows private links associated with the resource.

Existing private endpoint connections on a storage account

Existing private endpoint connections on a storage account

That’s the same for SQL Server.

Existing private endpoint connections on a SQL Server

Existing private endpoint connections on a SQL Server

It's time to test the functionality. I need to ensure that communication between the Azure VM and the services such as storage accounts and SQL Servers goes over an internal IP address. So I will simply query the service via the nslookup command to see what it returns.

Accessing Azure services securely via Azure Private Link

Accessing Azure services securely via Azure Private Link

Yes! For both storage account and the SQL Server, the VM is now using their private IP addresses to communicate. This means communication is entirely through the Microsoft backbone network and NOT the internet.

Creating an Azure Private Link using PowerShell ^

Azure Private Links can also be created and managed using PowerShell.

Azure Private Links and private endpoints for a SQL Server and a storage account can be created using the following code:

Limitations ^

The following limitations currently exist:

  • The Private Link service and the resource from which you are accessing the endpoints must be in the same region
  • Private endpoints cannot be used on subnets configured with service endpoints.
  • The following services cannot access any private endpoints using Private Links:
    • App Service Plan
    • Azure Container Instance
    • Azure NetApp Files
    • Azure Dedicated HSM

Conclusion ^

Azure Private Link is an easy-to-deploy service that provides an extra layer of security. Microsoft is planning to expand the support to cover other services such as Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, and Azure Key Vault. It looks like it will be one of the game-changers in network security on Azure going forward.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

3+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account