- cloudengineer.ing
- Posts
- Azure Private Endpoint Explained
Azure Private Endpoint Explained
What is a private endpoint?
Overivew
A private endpoint is a network interface that uses a private IP address from your virtual network. By enabling a private endpoint, you're bringing the service into your virtual network.
The service could be an Azure service such as:
Azure Storage
Azure Cosmos DB
Azure SQL Database
Azure App Service
Your own service, using Private Link service.
As you're creating private endpoints, consider the following:
Network connections can be initiated only by clients that are connecting to the private endpoint. Service providers don't have a routing configuration to create connections into service customers. Connections can be established in a single direction only.
A read-only network interface is automatically created for the lifecycle of the private endpoint. The interface is assigned a dynamic private IP address from the subnet that maps to the private-link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint.
The private endpoint must be deployed in the same region and subscription as the virtual network.
For a single network using a common DNS server configuration, the recommended practice is to use a single private endpoint for a specified private-link resource. Use this practice to avoid duplicate entries or conflicts in DNS resolution.
Multiple private endpoints can be created on the same or different subnets within the same virtual network. There are limits to the number of private endpoints you can create in a subscription.
The available resources that support a private endpoint can be found here.
Network security of private endpoints
Private endpoints provide a privately accessible IP address for the Azure service, but do not necessarily restrict public network access to it. Private endpoints support network policies. Network policies enable support for Network Security Groups (NSG), User Defined Routes (UDR), and Application Security Groups (ASG).
DNS configuration
The DNS settings that you use to connect to a private-link resource are important. Existing Azure services might already have a DNS configuration you can use when you're connecting over a public endpoint. To connect to the same service over private endpoint, separate DNS settings, often configured via private DNS zones, are required. Ensure that your DNS settings are correct when you use the fully qualified domain name (FQDN) for the connection. The settings must resolve to the private IP address of the private endpoint.
The network interface associated with the private endpoint contains the information that's required to configure your DNS. The information includes the FQDN and private IP address for a private-link resource.
Use Cases
Azure Private Endpoints are commonly used in scenarios where customers want to access Azure services from a private network, such as an on-premises network or a virtual network in Azure. In these scenarios, customers can use Private Endpoints to connect to Azure services over a private connection without having to expose their data to the public internet.
Securing Data Access: By using Private Endpoints, you can ensure that all data access to your Azure services is secure and isolated from the public internet.
Connecting to Azure Services from On-Premises Networks: Private Endpoints can be used to securely connect to Azure services from on-premises networks, allowing customers to take advantage of the benefits of Azure services while keeping their data private.
Connecting to Azure Services from Azure Virtual Networks: Private Endpoints can also be used to securely connect to Azure services from within Azure Virtual Networks, providing an additional layer of security for your applications.
Once applied with a Private Endpoint, a resources endpoint is no longer publicly routable. For instance if you enable/create private endpoint for the Azure Web App services, and you try to access the web app with the URL, you will see 403 forbidden error message. The service will be accessible only via the private IP address.
Private DNS Zones solve this issue. Linked to one or more VNETS, a Private DNS Zone holds DNS records for the private resources. When you deploy a Private Endpoint and link it to a Private DNS Zone, the resources public IP is updated with a CNAME record pointing it to the Private DNS Zone.
Control Plane vs Data Plane
Itβs important to note the difference between control plane and data plane operations.
For example, letβs presume we have an Azure Storage Account with a Private Endpoint applied for the blob endpoint. A control plane operation would be something like using the Azure CLI to return the account keys. A data plane operation would be something like listing blobs within a private container.
With a Private Endpoint applied for the blob endpoint, you can perform control plane operations regardless of your presence on the VNET. Yes, you need to be authenticated, but your source IP does not matter in this context.
With a data plane operation, however, you can only perform operations if you are coming at it from within the VNET.
For the deployment to a service that has a private endpoint enabled you will likely need to use self-hosted runners that have network connectivity into the VNet from which the private endpoint gets the private IP address.
Thanks for reading π π
β Subscribe to the newsletter to get the latest updates for Azure, AWS & GCP clouds. π