Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 3: Define Private Link Service and Private Endpoint
- What is Azure Private Link
- Azure Private Link enables access to Azure PaaS Services and Azure hosted customer-owned/partner services over Private Endpoint in VNet
- Private Link is designed to remove public part of connection
- Provides secure access to Azure Services achieved by replacing resource public endpoint with a private NIC
- Key considerations for this architecture
- Azure resource becomes part of your VNet
- Connection to resource uses Microsoft Azure backbone instead of public INET
- Can configure Azure resource to no longer expose its public IP
- What is Azure Private Endpoint
- Key technology behind Private Link
- NIC that enables a private/secure connection between VNet and Azure service
- NIC that replaces resources public endpoint
- Provides secure access to Azure services
- Replaces resource public endpoint with private NIC
- How is Azure Private Endpoint different from service endpoint
- Grants network access to specific resource behind given service providing granular segmentation
- Traffic can reach service resource from on-prem without using public endpoints
- Service endpoint remains publicly routable
- Private endpoint is private IP in address space of VNet where configured
- What is Azure Private Link Service
- Gives private access from Azure VNet to PaaS services and MS Partner services in Azure. What is org has its own Azure services. Is it possible to offer those customer a private connection to orgs services
- Yes with Private Link Service
- Lets you offer Private Link connections to custom Azure services
- Consumers of custom service can access them privately without going over INET from their own VNets
- Private Link service is reference to own service powered by Private Link
- Service is running behind Azure standard load balancer can be enable for Private Link access
- Customers can create private endpoint inside their VNet and map to this service
- Private Link service receives connections from multiple private endpoints.
- Private endpoint connects to 1 Private Link services
- Private Endpoint Properties
- Considerations
- Unique name with resource group
- Subnet to deploy/allocate private IP addresses from VNet
- Private Link resource to connect using resource ID/Alias from list of available types – A unique network identifier is generated for all traffic sent to resource
- The subresource to connect – each private link resource type has diff options to select based on pref
- Automatic or manual connection approval method – based on Azure role-based access control (RBAC) Private Endpoint can be approved automatically.
- For manual method of above, owner of resource approves connections
- Only Private Endpoints in approved state used to send traffic
- Additional Considerations
- Clients initiate net connections. Only established in single direction
- Private Endpoint has read-only NIC. Interface assigned dynamically from subnet that maps to Private Link resource – remains unchanged for lifecycle of Private Endpoint
- Must be deployed in same region and subscription of VNet
- Private Link can be deployed in diff region than VNet of Private Endpoint
- Multiple Private Endpoints can be created using same Private Link
- Multiple Private Endpoints can be created on same or diff subnets within same VNet
- Considerations