4.1 Azure Private Link and Private Endpoints
📘Microsoft Azure Networking Solutions (AZ-700)
What is a Private Endpoint?
A Private Endpoint in Azure is a network interface that connects you privately and securely to an Azure service. Instead of using a public IP over the internet, your connection happens entirely inside Azure’s network, which improves security and data protection.
Think of it as a secure “door” that only your virtual network (VNet) can use to reach an Azure service, such as:
- Azure Storage Account
- Azure SQL Database
- Azure Key Vault
- Azure Cosmos DB
Key point for exam: Private endpoints are used to access PaaS services privately, avoiding exposure to the public internet.
Steps to Create a Private Endpoint in Azure
There are multiple ways to create a private endpoint: Azure Portal, Azure CLI, PowerShell, and ARM templates. For the exam, focus on understanding the process and its options.
1. Identify the Resource
- You need to know which Azure service you want to connect to privately.
- Example: An Azure Storage Account named
examstorage123.
2. Select the Virtual Network (VNet)
- Private endpoints must be in a VNet, which is your private network inside Azure.
- They also require a subnet where the endpoint will live.
- Example: VNet
VNet-Prodand subnetSubnet-Storage.
Exam tip: The subnet cannot have a network security group (NSG) that blocks AzurePrivateLink traffic.
3. Create the Private Endpoint
Via Azure Portal:
- Go to the Azure Portal → Private Endpoint → Create
- Choose the resource (Storage, SQL, etc.) and resource instance.
- Select your VNet and subnet.
- Configure DNS integration (important to resolve private IPs).
- Review and create.
Via Azure CLI:
az network private-endpoint create \
--name MyPrivateEndpoint \
--resource-group MyResourceGroup \
--vnet-name MyVNet \
--subnet MySubnet \
--private-connection-resource-id /subscriptions/{subID}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{storageAccountName} \
--group-ids blob \
--connection-name MyPrivateConnection
--group-idsindicates which service interface (blob, sql, etc.) to connect.--private-connection-resource-idis the target resource ID.
Exam tip: You may be asked about CLI parameters like
--group-idsor--private-connection-resource-id.
4. Approve the Connection
- Some services require manual approval of the private endpoint.
- The owner of the resource will see a pending connection request and must approve it.
Example: Connecting to someone else’s SQL Database may require the database admin to approve the private endpoint.
5. Configure DNS
- By default, Azure will create a private DNS zone to resolve the private IP of the service.
- Example:
examstorage123.blob.core.windows.net → 10.0.1.5(private IP in your VNet)
- You can link your own DNS or use Azure’s automatic private DNS linking.
Exam tip: If DNS is not configured, your VM may still try to reach the public endpoint, which defeats the purpose of Private Link.
6. Test the Connection
- From a VM in the VNet, try connecting to the service using its FQDN.
- Example: Test-NetConnection -ComputerName examstorage123.blob.core.windows.net -Port 443
- The connection should resolve to the private IP, not a public IP.
Key Exam Points about Private Endpoints
- Security – Private endpoints allow you to avoid public internet exposure.
- Network Isolation – Works within your VNet; can integrate with NSGs and route tables.
- Service Scope – Can be used for many Azure PaaS services: SQL, Storage, Key Vault, Cosmos DB, etc.
- DNS Requirement – Must resolve the service FQDN to the private IP, either via Azure Private DNS or custom DNS.
- Manual Approval – Some resources require approval by the resource owner.
- Subnet Restrictions – Only one private endpoint per subnet per service interface.
- Connection Status – Can be Pending, Approved, or Rejected.
IT Example Scenarios for Exam Understanding
- A company wants its Azure SQL database to be accessible only from its application servers in the VNet. Using a private endpoint, the SQL database receives a private IP and is no longer exposed to the public internet.
- An organization wants to store backups in Azure Storage but ensure all traffic is private. Creating a private endpoint for the storage account achieves this.
These examples help non-IT students understand why private endpoints are necessary in enterprise IT environments.
Summary Table – Private Endpoint Creation
| Step | What to Do | Key Exam Note |
|---|---|---|
| 1 | Identify Azure resource | E.g., Storage, SQL, Key Vault |
| 2 | Choose VNet & Subnet | Must allow Private Link traffic |
| 3 | Create Private Endpoint | Portal/CLI/PowerShell/ARM |
| 4 | Approve connection | May be required for cross-subscription |
| 5 | Configure DNS | Must resolve FQDN to private IP |
| 6 | Test connection | Ensure traffic goes via private IP |
Tip for AZ-700 Exam:
You might get scenario questions asking you to:
- Allow a VM to access Azure Storage privately → Answer: Create a Private Endpoint in the VNet/subnet of the VM.
- Ensure SQL database is inaccessible from internet → Answer: Use Private Endpoint and disable public access.
- Integrate with on-prem DNS → Answer: Link Private DNS Zone with your DNS server.
