Azure Private Link | Private connection to Azure PaaS
Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.
Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.
Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.
Lets Lab It!
Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.
Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”
A nice “Getting started page” will open. Click the “Build a private connection to a service”
The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.
At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.
At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.
At the final step, review the settings and create the Private Link
After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!
And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.
Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:
PS C:\> nslookup plsqlsrv.database.windows.net
And it returned the Private IP address of the SQL Server.
From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.
From the Azure VM I managed to connect successfully and of course internally!
After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: https://cloudcorner.gr/microsoft/azure/azure-start-point-point-to-site-vpn/
In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.
Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:
- · Cosmos DB
- · App Service Vnet Integration + App Service Environment
- · Azure Kubernetes Service
- · Azure Key Vault
- · PostgreSQL
- · MySQL
- · Maria DB
Pantelis Apostolidis is a Cloud Solutions Architect at Microsoft and an ex Microsoft Azure MVP. For the last 15 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.