Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services.
2. About me
• Udaiappa Ramachandran ( Udai )
• CTO-Akumina, Inc.
• Cloud Expert
• Microsoft Azure, Amazon Web Services and Google
• New Hampshire Cloud User Group (http://www.meetup.com/nashuaug )
• https://udai.io
3. Agenda
• Virtual Network Basics
• Azure Private Endpoint
• Azure Private Link
• Private Link Service
• Network Scenarios
• DEMO…DEMO…DEMO…
• References
5. Service Endpoint
• Improved security for your Azure service resources
• Optimal routing for Azure service traffic from your virtual network
• Simple to setup with less management overhead
• Destination is still a public IP address. NSG opened to service Tags
• Need to pass NVA/Firewall for Exfiltration protection
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
6. Private Endpoint
• Private Endpoint
• Azure Private Endpoint is a network interface that connects you privately and securely to a
service powered by Azure Private Link. Private Endpoint uses a private IP address from your
VNet, effectively bringing the service into your VNet.
• Key Benefits
• Privately endpoint enables connectivity between the consumers from the same VNet, regionally
peered VNets, globally peered VNets and on premises (VPN, Express Route)
• Client only initiated to private endpoint (single direction)
• The private endpoint must be deployed in the same region and subscription as the virtual
network
• The private link resource can be deployed in a different region than the virtual network and
private endpoint
• Multiple private endpoints can be created using the same private link resource
• Multiple private endpoints can be created on the same or different subnets within the same
virtual network
7. Private Link
• Private Link
• Azure Private Link is a secure and scalable way to create, share, and connect to Azure. All data
that flows from a provider to a consumer is isolated from the internet and stays on the Microsoft
back end.
• Consumers: To privately connect to a service, create a private endpoint.
• Providers: To privately render a service, create a private link service or private resource
• Key Benefits
• Privately access services on the azure platform
• On-premises and peered networks
• Protection against data leakage (data exfiltration)
• Simple to setup
• Global reach
• Extended to your own services
• Uses approval workflow
8. Private Link Workflow
• Manual
• Automatic
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
9. Private Link service
• Private Link service
• Azure Private Link service is the reference to your own service that is powered by Azure
Private Link.
• Key Benefits
• Private Link service can be accessed from approved private endpoints in any public region. The
private endpoint can be reached from the same virtual network, regionally peered VNets, globally
peered VNets and on premises using private VPN or ExpressRoute connections.
• When creating a Private Link Service, a network interface is created for the lifecycle of the resource.
This interface is not manageable by the customer
• The Private Link Service must be deployed in the same region as the virtual network and the
Standard Load Balancer
• A single Private Link Service can be accessed from multiple Private Endpoints belonging to different
VNets, subscriptions and/or Active Directory tenants. The connection is established through a
connection workflow
• Multiple Private Link services can be created on the same Standard Load Balancer using different
front-end IP configurations
• Private Link service can have more than one NAT IP configurations linked to it
11. Private Link service Workflow
https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview
12. Private DNS Configuration - 1
Virtual network workloads without custom DNS server
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
13. Private DNS Configuration - 2
Virtual network workloads without custom DNS server – Hub and Spoke
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
14. Private DNS Configuration - 3
Virtual network and on-premises workloads using DNS Forwarder
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
15. Private DNS Configuration - 4
Virtual network and on-premises workloads using DNS Forwarder
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
16. Private DNS Configuration - 5
Virtual network and on-premises workloads using DNS Forwarder
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
17. Verifying Private Link
• If you are in a VM or WebApp that is using the same Vnet as PrivateLink the
following command will return you the private IP
• >nslookup <PUBLICSERVICENAME>
• Ex. nslookup nhcloud.blob.core.windows.net
• >nameresolver <PUBLICSERVICENAME>
• Ex. Nameresolver nhcloud.blob.core.windows.net
• >tcpping <PUBLICSERVICENAME>
• Ex. Tcpping nhcloud.blob.core.windows.net
19. Demo -1 (Region 1)
• Create a resource group in EAST US
• Create a VNET – 10.100.0.0/16
• Create SubNets – VM-10.100.1.0/24, WEB-10.100.2.0/24, Data- 10.100.3.0/24
• Create a VM using the VNET and SubNet VM
• Create a WebApp using the VNET and SubNet Web
• Create a Storage Account using the VNET and SubNet Web
• Disable all public access
• For Storage enable Private Link using the SubNet Data
• Login into VM or go to WebApp Kudu console and use the commands from the
previous slide to verify the private access to your Storage.
20. Demo-2 (Region 2)
• Create a resource group in WEST US
• Create a VNET – 10.200.0.0/16
• Create SubNets – VM-10.200.1.0/24, WEB-10.200.2.0/24, Data- 10.200.3.0/24
• Create a VM using the VNET and SubNet VM
• Create a WebApp using the VNET and SubNet Web
• Create a Storage Account using the VNET and SubNet Web
• Disable all public access
• For Storage enable Private Link using the SubNet Data
• Login into VM or go to WebApp Kudu console and use the commands from the
previous slide to verify the private access to your Storage.
21. Demo-3 (Peering)
• Go to EAST US VNET and Peer the WEST US VNET; this will enable peering between
US EAST and WEST
• From the services that were enabled private link Add the Virtual Network link from
another region. For East, add West and vice versa
• While enabling link from Storage account, if you get name overlapping issue the go-
to DNS configuration of the private storage link, remove and add the DNS
configuration pointing to East DNS created private link. This will enable a link
between East and West
• To disable web app public access, enable a private link in the web app, then login to
VM to browse the web app