4.1 Azure Private Link and Private Endpoints
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is a Private Link Service?
A Private Link service allows you to expose your own Azure service privately to other virtual networks using Azure Private Link.
It is different from a Private Endpoint:
- Private Endpoint → Used to privately connect to a service.
- Private Link Service → Used to privately expose your own service to others.
With a Private Link service:
- Your service stays inside your Virtual Network (VNet).
- Consumers access it using a private IP address.
- Traffic stays on the Microsoft backbone network.
- The service is not exposed to the public internet.
2. Where Is Private Link Service Used?
You use a Private Link service when:
- You are hosting an application inside Azure.
- The application is behind a Standard Load Balancer.
- You want other VNets (same or different subscriptions/tenants) to connect privately.
- You want secure, controlled, private access.
Typical IT example:
- A company hosts an internal API in one VNet.
- Other departments or partner organizations need secure access.
- Instead of using a public IP, the company creates a Private Link service.
- Consumers create Private Endpoints to connect privately.
3. Architecture Overview
To create a Private Link service, these components are required:
1. Virtual Network (VNet)
Your service must run inside a VNet.
2. Backend Service
This could be:
- Virtual Machines
- Virtual Machine Scale Sets
- Application hosted behind a load balancer
3. Standard Load Balancer
Only Standard Load Balancer is supported.
Basic Load Balancer is NOT supported for Private Link service.
4. Frontend IP Configuration
The load balancer must have a frontend IP (internal or public).
5. Private Link Service
This connects the load balancer frontend to Private Link.
6. Private Endpoint (Consumer Side)
The consumer creates a Private Endpoint to connect.
4. Important Exam Requirements
For AZ-700, you must remember:
✔ Only Standard Load Balancer is supported
✔ Service must be inside a VNet
✔ NAT IP addresses are required
✔ You can allow automatic or manual approval
✔ Cross-subscription and cross-tenant supported
✔ Works only with TCP traffic
5. How Traffic Flows
- Consumer creates a Private Endpoint.
- Private Endpoint gets a private IP inside consumer VNet.
- Traffic flows:
- Consumer VNet → Private Endpoint → Microsoft backbone → Private Link service → Load Balancer → Backend VM
- The service never gets exposed publicly.
6. Components of Private Link Service
When creating it, you configure:
1. Load Balancer Frontend IP
You must select:
- Standard Load Balancer
- Frontend IP configuration
This is the entry point for traffic.
2. NAT IP Configuration
This is VERY important for the exam.
Private Link service requires NAT IP addresses.
Why?
Because:
- Traffic from consumer must be translated before reaching backend.
- It prevents IP conflicts between networks.
You must:
- Select a subnet
- Allocate one or more NAT IP addresses
These NAT IPs:
- Must be from a dedicated subnet
- Cannot overlap with other IP usage
3. Auto-Approval or Manual Approval
When a consumer requests connection:
You can choose:
Automatic Approval
- Certain subscriptions are auto-approved.
Manual Approval
- Service owner must approve connection request.
For exam:
- Know how to configure both.
- Understand approval workflow.
4. Visibility Settings
You can control:
- Who can see your Private Link service?
- Which subscriptions can request connection?
This is done using:
- Subscription IDs
7. Steps to Create a Private Link Service (Azure Portal)
Here is the exam-level process:
Step 1: Prepare Backend
- Create VNet
- Create Subnet
- Deploy VMs
- Create Standard Load Balancer
- Configure backend pool
- Create health probe
- Create load balancing rule
Step 2: Create Private Link Service
Go to:
Azure Portal → Create Resource → Private Link Service
Configure:
- Basics
- Subscription
- Resource group
- Name
- Region
- Outbound Settings
- Select Standard Load Balancer
- Select frontend IP configuration
- NAT IP Configuration
- Select subnet
- Define number of NAT IPs
- Access Control
- Configure auto-approval list
- Configure visibility
- Review + Create
8. Approval Workflow (Very Important for Exam)
When consumer creates Private Endpoint:
Status becomes:
- Pending
Service owner must:
- Go to Private Link service
- Approve or Reject connection
Connection states:
- Pending
- Approved
- Rejected
- Disconnected
Exam may ask about these states.
9. DNS Considerations
Private Link service does NOT automatically configure DNS for consumers.
Consumer must:
- Configure Private DNS zone
- Or manually configure DNS
DNS resolution must point to Private Endpoint IP.
For custom services:
- You may define a custom DNS name.
- Consumer maps it to Private Endpoint IP.
10. Security Benefits
Private Link service provides:
✔ No public exposure
✔ Traffic stays on Microsoft backbone
✔ Controlled access
✔ Explicit approval model
✔ Works across subscriptions
✔ Works across tenants
11. Comparison: Private Endpoint vs Private Link Service
| Feature | Private Endpoint | Private Link Service |
|---|---|---|
| Purpose | Connect privately to service | Expose your own service privately |
| Created By | Consumer | Service Provider |
| Requires Load Balancer | No (for Azure PaaS) | Yes (Standard only) |
| Needs NAT IP | No | Yes |
| Approval Needed | Yes | Yes |
12. Design Considerations for Exam
1. Subnet Planning
- NAT subnet should be dedicated.
- Ensure enough IPs available.
2. Load Balancer Requirement
- Must be Standard.
- Must be in same region as service.
3. High Availability
- Backend pool can have multiple VMs.
- Use Availability Zones if required.
4. Cross-Tenant Scenarios
Private Link service supports:
- Different Azure AD tenants.
- Requires manual approval unless auto-approved.
13. Limitations
You must remember:
- Only TCP supported
- No UDP
- Requires Standard Load Balancer
- Cannot use Basic Load Balancer
- NAT subnet cannot have other resources
- Region-specific resource
14. Real IT Environment Example
Imagine:
An organization runs an internal REST API on VMs behind a Standard Load Balancer in Azure.
Instead of:
- Assigning Public IP
- Opening firewall to internet
They:
- Create Private Link service
- Share service alias with partner subscription
- Partner creates Private Endpoint
- Partner accesses API using private IP
The service remains fully private.
15. Monitoring and Management
You can monitor:
- Connection requests
- Approval status
- NAT IP usage
- Load balancer metrics
Use:
- Azure Monitor
- Activity logs
16. Key Exam Tips
🔹 Remember NAT IP configuration is mandatory
🔹 Standard Load Balancer is required
🔹 Understand approval states
🔹 Know difference between Private Endpoint and Private Link service
🔹 Understand cross-tenant access
🔹 Know that DNS must be configured by consumer
🔹 Know traffic stays on Microsoft backbone
17. Quick Summary
A Private Link service:
- Exposes your own application privately.
- Uses Standard Load Balancer.
- Requires NAT IP configuration.
- Supports approval workflows.
- Enables private access across VNets and tenants.
- Keeps traffic off the public internet.
- Is a major topic in AZ-700 exam.
