In an enterprise when you want to connect to services hosted on the Azure Platform you need to make sure that your data (hosted in Azure) is not exposed to the public internet. By default access to the services hosted in Azure is via the public internet. It is not secure to access sensitive data via the public internet. To solve this issue Azure brings two technologies Azure Private Endpoint and Azure Private Link:
What is Azure Private Endpoint?
Private Endpoint is a network interface created with VNet to enable private access to the resources. Private Endpoint uses a private IP address from the VNet to bring the service into VNet.This way Azure resource becomes part of your VNet.This means that:
1. The connection to the Azure resource uses Azure Backbone instead of using the public internet.
2. Azure resource does not expose the public IP address instead it used a private IP address from the VNet.This eliminates the security risk.
What is Azure Private Link?
Azure Private link enables access to Azure PaaS services (i.e. Azure SQL Database, Azure Synapse, Azure Blob Storage, etc.) by replacing the public endpoint with a private network connection. Once you have the private network connection to Azure services you can link this connection to the Private endpoint at the consumer network. This means we are connecting it to the private IP address within VNet where your consumer resources are placed.
For the sake of simplicity this is a three-step process:
- Create a Private Endpoint for consumers so consumers can access the resources privately.
- Create a Private link so we can replace the Azure service’s public endpoint with a private network connection.
- Link the private link with the private Endpoint.
Here is the demo video on how we can implement this scenario.
Here is the PowerShell code used in the demo:
#First create a resource group Connect-AzAccount ##Set Variables## $rg='PrivateEndpointDemo-rg' $loc='eastus' $vnet='DemoVNet' $webAppRG= 'webapp-rg' $WebAppName= 'pedemowebapp' New-AzResourceGroup -Name $rg -Location $loc ## Create backend subnet config. ## $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name BackendSubnet -AddressPrefix 10.0.0.0/24 ## Create Azure Bastion subnet. ## $bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24 ## Create the virtual network. ## $vnetParameters = @{ Name = $vnet ResourceGroupName =$rg Location = $loc AddressPrefix = '10.0.0.0/16' Subnet = $subnetConfig, $bastsubnetConfig } $vnetInfo = New-AzVirtualNetwork @vnetParameters ## Create public IP address for bastion host. ## $publicIPParameters = @{ Name = 'BastionIP' ResourceGroupName =$rg Location = $loc Sku = 'Standard' AllocationMethod = 'Static' } $publicip = New-AzPublicIpAddress @publicIPParameters ## Create bastion host ## $bastationParameters = @{ ResourceGroupName = 'PrivateEndpointDemo-rg' Name = 'DemoBastion' PublicIpAddress = $publicip VirtualNetwork = $vnetInfo } New-AzBastion @bastationParameters # Create a Test VM ## Set credentials for server admin and password. ## $cred = Get-Credential ##creating network interface for VM ## $vmNICparameters = @{ Name = 'VMNic' ResourceGroupName = $rg Location = $loc Subnet = $vnetInfo.Subnets[0] } $nicVM = New-AzNetworkInterface @vmNICparameters ## Create a virtual machine configuration.## $NameAndSizeParameters = @{ VMName = 'DemoVM' VMSize = 'Standard_DS1_v2' } $credentialParameters = @{ ComputerName = 'DemoVM' Credential = $cred } $skuParameters = @{ PublisherName = 'MicrosoftWindowsServer' Offer = 'WindowsServer' Skus = '2019-Datacenter' Version = 'latest' } $vmConfig = New-AzVMConfig @NameAndSizeParameters | Set-AzVMOperatingSystem -Windows @credentialParameters | Set-AzVMSourceImage @skuParameters | Add-AzVMNetworkInterface -Id $nicVM.Id ## Create the virtual machine ## New-AzVM -ResourceGroupName $rg -Location $loc -VM $vmConfig ## Get reference of the WebApp## $webapp = Get-AzWebApp -ResourceGroupName $webAppRG -Name $WebAppName ## Create Private Endpoint connection. ## $PrivateLinkParameters = @{ Name = 'myConnection' PrivateLinkServiceId = $webapp.ID GroupID = 'sites' } $privateLinkConnection = New-AzPrivateLinkServiceConnection @PrivateLinkParameters ## Place virtual network into variable. ## ## Disable private endpoint network policy ## $vnetInfo.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled" $vnetInfo | Set-AzVirtualNetwork ## Create private endpoint $PrivateEndPointparameters = @{ ResourceGroupName = $rg Name = 'myPrivateEndpoint' Location = $loc Subnet = $vnetInfo.Subnets[0] PrivateLinkServiceConnection = $privateLinkConnection } New-AzPrivateEndpoint @PrivateEndPointparameters ## Place virtual network into variable. ## ## Create private dns zone. ## $PrivateDNSZoneParameters = @{ ResourceGroupName = $rg Name = 'privatelink.Azurewebsites.net' } $zone = New-AzPrivateDnsZone @PrivateDNSZoneParameters ## Create dns network link. ## $PrivateDNSVNetLinkParameters = @{ ResourceGroupName = $rg ZoneName = 'privatelink.Azurewebsites.net' Name = 'myLink' VirtualNetworkId = $vnetinfo.Id } $link = New-AzPrivateDnsVirtualNetworkLink @PrivateDNSVNetLinkParameters ## Create DNS configuration ## $DnsConfigParameters = @{ Name = 'privatelink.Azurewebsites.net' PrivateDnsZoneId = $zone.ResourceId } $config = New-AzPrivateDnsZoneConfig @DnsConfigParameters ## Create DNS zone group. ## $PrivateDNSZoneParameters = @{ ResourceGroupName = $rg PrivateEndpointName = 'myPrivateEndpoint' Name = 'myZoneGroup' PrivateDnsZoneConfig = $config } New-AzPrivateDnsZoneGroup @PrivateDNSZoneParameters
Hope this helps!!