Configure access to private endpoints

4.1 Azure Private Link and Private Endpoints

📘Microsoft Azure Networking Solutions (AZ-700)

1. What are Private Endpoints?

A Private Endpoint is a network interface that connects you privately and securely to an Azure service, without exposing the service to the public internet.

Key points:

It uses a private IP address from your Virtual Network (VNet).
Traffic stays within Azure’s backbone network, not the public internet.
It works for services like:
- Azure Storage (Blob, File)
- Azure SQL Database
- Azure Key Vault
- Custom services hosted in Azure (like App Services)

IT Environment Example:
If your company has an Azure SQL Database storing sensitive financial data, you don’t want it exposed publicly. A private endpoint ensures that only resources in your VNet can connect to it.

2. How Private Endpoints Work

Private Endpoint Creation
- You select a service (e.g., Storage Account) and a VNet subnet.
- Azure assigns a private IP in that subnet.
- The service becomes reachable only through that IP from your VNet.
DNS Integration
- Private endpoints require DNS resolution to the private IP.
- You can:
  - Use Azure’s private DNS zones, automatically linking the service FQDN (e.g., mydb.database.windows.net) to the private IP.
  - Or configure your own on-premises DNS to resolve the service privately.
Traffic Flow
- When a resource in your VNet connects to the service FQDN, traffic flows internally via the private endpoint.
- Public endpoints are blocked unless explicitly allowed.

3. Configuring Access to Private Endpoints

Configuring access involves three main steps:

Step 1: Create the Private Endpoint

Go to the Azure portal → select the target service.
Choose Private Endpoint → Click Create.
Choose:
- Resource group
- VNet and subnet
- Private DNS integration (optional but recommended)
Confirm and create.

Step 2: Configure Network and Security

Subnet Permissions
- Ensure the subnet allows network traffic from your VMs or other resources.
- Apply Network Security Groups (NSGs) carefully:
  - Allow required ports (e.g., TCP 1433 for SQL)
  - Deny unwanted traffic
Firewall Rules
- Some services, like Azure SQL, require firewall configuration.
- Add the private endpoint IP to the allowed list if needed.

Step 3: Configure DNS

After creation, the service’s FQDN should resolve to the private IP.
You can use:
- Azure Private DNS Zone
  - Example: privatelink.database.windows.net
  - Automatically links to the private endpoint IP.
- Custom DNS server
  - Map the service domain to the private IP manually.

IT Environment Example:
A VM in your subnet tries to connect to mydb.database.windows.net. DNS resolves it to the private IP of the private endpoint, keeping the connection entirely internal.

4. Optional: Restrict Public Access

By default, the service may still allow public connections.
To fully secure:
- Disable public network access.
- Only allow access via the private endpoint.

5. Benefits of Private Endpoints

Security
- No exposure to the public internet.
Compliance
- Useful for GDPR, HIPAA, or other data protection requirements.
Simplified Access
- VNets, on-prem networks, and peered VNets can securely connect.
Seamless DNS
- Applications can connect using standard service FQDN.

6. Quick Exam Tips

Know the difference between Private Link vs. Service Endpoint
- Private Link → Uses private IP, secure, can restrict public access.
- Service Endpoint → Still uses public IP, adds VNet access restrictions.
Remember DNS mapping is key for access.
Firewall and NSG rules must allow traffic from the private IP.
Private Endpoint can be cross-region using global VNet peering.

✅ Summary Table for Easy Recall

Feature	Private Endpoint	Service Endpoint
IP Used	Private IP in VNet	Public IP of service
Traffic	Internal (Azure backbone)	Public network
Security	Can block public access	Cannot fully block public access
DNS Required	Yes (Private DNS)	Optional
Example Services	SQL, Storage, Key Vault	Storage, SQL