Azure Private Endpoints Tutorial

Introduction to Azure Private Endpoints

Azure Private Endpoints provides a secure and private way to access Azure PaaS services and storage accounts over a private endpoint in your virtual network. With Azure Private Endpoints, you can access PaaS services like Azure Storage, Azure SQL Database, and Azure Data Factory over a private network, without having to expose them to the public internet. Private Endpoints uses Private Link technology to provide secure and private connectivity to PaaS resources over a private IP address.

In this tutorial, you will learn how to create and configure Azure Private Endpoints using the Azure CLI.

Prerequisites:

  • Azure CLI installed on your local machine
  • Access to an Azure subscription

Step 1: Create a Virtual Network and Subnet The first step is to create a virtual network and a subnet where you will create the Private Endpoint. Run the following commands to create a virtual network and a subnet:

az network vnet create \
    --name myVnet \
    --resource-group myResourceGroup \
    --address-prefixes 10.0.0.0/16 \
    --subnet-name mySubnet \
    --subnet-prefixes 10.0.1.0/24

Step 2: Create a Private Endpoint The next step is to create a Private Endpoint. Run the following command to create a Private Endpoint:

az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --subnet mySubnet \
    --private-connection-resource-id /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name} \
    --connection-name myConnection
  • Replace {subscription-id}, {resource-group-name}, and {storage-account-name} with the subscription ID, resource group name, and storage account name of the PaaS service you want to access.
  • Replace myPrivateEndpoint with a name of your choice.
  • Replace myResourceGroup with the name of the resource group where you want to create the Private Endpoint.
  • Replace myVnet and mySubnet with the names of the virtual network and subnet you created in Step 1.
  • Replace myConnection with a name of your choice.

Step 3: Configure Private DNS Zones To access the PaaS service over the Private Endpoint, you need to configure Private DNS Zones for the service. Run the following command to create a Private DNS Zone for the PaaS service:

az network private-dns zone create \
    --name "privatelink.{paas-service}.core.windows.net" \
    --resource-group myResourceGroup
  • Replace {paas-service} with the name of the PaaS service you want to access.
  • Replace myResourceGroup with the name of the resource group where you want to create the Private DNS Zone.

Next, run the following command to create a Private DNS record for the PaaS service:

az network private-dns record-set a create \
    --name {paas-service} \
    --zone-name "privatelink.{paas-service}.core.windows.net" \
    --resource-group myResourceGroup
  • Replace {paas-service} with the name of the PaaS service you want to access.
  • Replace myResourceGroup with the name of the resource group where you want to create the Private DNS record.

Step 4: Verify Private Endpoint Connectivity To verify that the Private Endpoint is working correctly, you can try to access the PaaS service over the Private Endpoint. Run the following command to get the private IP address of the Private Endpoint:

az network private-endpoint show \
    --name myPrivateEndpoint \

This command will return the private IP address of the Private Endpoint. Copy the IP address and use it to connect to the PaaS service. For example, if you are accessing Azure Storage, you can use the following command to connect to the storage account over the Private Endpoint:

az storage account show \
    --name myStorageAccount \
    --resource-group myResourceGroup \
    --query "primaryEndpoints.blob" \
    --output tsv \
    --connection-string "DefaultEndpointsProtocol=https;AccountName=myStorageAccount;AccountKey=myAccountKey;EndpointSuffix=core.windows.net" \
    --private-link true \
    --private-endpoint-connection-name myConnection \
    --private-endpoint-ip-address {private-endpoint-ip-address}
  • Replace myStorageAccount with the name of the storage account you want to access.
  • Replace myResourceGroup with the name of the resource group where the storage account is located.
  • Replace myAccountKey with the account key of the storage account.
  • Replace myConnection with the name of the connection you created in Step 2.
  • Replace {private-endpoint-ip-address} with the private IP address of the Private Endpoint.

This command will return the URL of the blob storage endpoint over the Private Endpoint.

Conclusion: In this tutorial, you learned how to create and configure Azure Private Endpoints using the Azure CLI. With Azure Private Endpoints, you can access Azure PaaS services and storage accounts over a private endpoint in your virtual network, without having to expose them to the public internet.