Microsoft AZ-700: Define Private Link Service and Private Endpoint

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 3: Define Private Link Service and Private Endpoint

  • What is Azure Private Link
    • Azure Private Link enables access to Azure PaaS Services and Azure hosted customer-owned/partner services over Private Endpoint in VNet
  • Private Link is designed to remove public part of connection
  • Provides secure access to Azure Services achieved by replacing resource public endpoint with a private NIC
  • Key considerations for this architecture
    • Azure resource becomes part of your VNet
    • Connection to resource uses Microsoft Azure backbone instead of public INET
    • Can configure Azure resource to no longer expose its public IP
  • What is Azure Private Endpoint
    • Key technology behind Private Link
    • NIC that enables a private/secure connection between VNet and Azure service
    • NIC that replaces resources public endpoint
    • Provides secure access to Azure services
    • Replaces resource public endpoint with private NIC
  • How is Azure Private Endpoint different from service endpoint
    • Grants network access to specific resource behind given service providing granular segmentation
    • Traffic can reach service resource from on-prem without using public endpoints
    • Service endpoint remains publicly routable
    • Private endpoint is private IP in address space of VNet where configured
  • What is Azure Private Link Service
    • Gives private access from Azure VNet to PaaS services and MS Partner services in Azure. What is org has its own Azure services. Is it possible to offer those customer a private connection to orgs services
  • Yes with Private Link Service
  • Lets you offer Private Link connections to custom Azure services
  • Consumers of custom service can access them privately without going over INET from their own VNets
  • Private Link service is reference to own service powered by Private Link
  • Service is running behind Azure standard load balancer can be enable for Private Link access
  • Customers can create private endpoint inside their VNet and map to this service
  • Private Link service receives connections from multiple private endpoints.
  • Private endpoint connects to 1 Private Link services
  • Private Endpoint Properties
    • Considerations
      • Unique name with resource group
      • Subnet to deploy/allocate private IP addresses from VNet
      • Private Link resource to connect using resource ID/Alias from list of available types – A unique network identifier is generated for all traffic sent to resource
      • The subresource to connect – each private link resource type has diff options to select based on pref
      • Automatic or manual connection approval method – based on Azure role-based access control (RBAC) Private Endpoint can be approved automatically.
      • For manual method of above, owner of resource approves connections
      • Only Private Endpoints in approved state used to send traffic
    • Additional Considerations
      • Clients initiate net connections. Only established in single direction
      • Private Endpoint has read-only NIC. Interface assigned dynamically from subnet that maps to Private Link resource – remains unchanged for lifecycle of Private Endpoint
      • Must be deployed in same region and subscription of VNet
      • Private Link can be deployed in diff region than VNet of Private Endpoint
      • Multiple Private Endpoints can be created using same Private Link
      • Multiple Private Endpoints can be created on same or diff subnets within same VNet
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-define-private-link-service-and-private-endpoint/

Leave a Reply

Your email address will not be published.