- Article
- 10 minutes to read
A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.
The service could be an Azure service such as:
- Azure Storage
- Azure Cosmos DB
- Azure SQL Database
- Your own service, using Private Link service.
Private endpoint properties
A private endpoint specifies the following properties:
| Property | Description |
|---|---|
| Name | A unique name within the resource group. |
| Subnet | The subnet to deploy, where the private IP address is assigned. For subnet requirements, see the Limitations section later in this article. |
| Private-link resource | The private-link resource to connect by using a resource ID or alias, from the list of available types. A unique network identifier is generated for all traffic that's sent to this resource. |
| Target subresource | The subresource to connect. Each private-link resource type has various options to select based on preference. |
| Connection approval method | Automatic or manual. Depending on the Azure role-based access control (RBAC) permissions, your private endpoint can be approved automatically. If you're connecting to a private-link resource without Azure RBAC permissions, use the manual method to allow the owner of the resource to approve the connection. |
| Request message | You can specify a message for requested connections to be approved manually. This message can be used to identify a specific request. |
| Connection status | A read-only property that specifies whether the private endpoint is active. Only private endpoints in an approved state can be used to send traffic. Additional available states: |
As you're creating private endpoints, consider the following:
Private endpoints enable connectivity between the customers from the same:
- Virtual network
- Regionally peered virtual networks
- Globally peered virtual networks
- On-premises environments that use VPN or Express Route
- Services that are powered by Private Link
Network connections can be initiated only by clients that are connecting to the private endpoint. Service providers don't have a routing configuration to create connections into service customers. Connections can be established in a single direction only.
(Video) Azure Private Endpoint & Private Link explained in plain English with a story & demo in 5 minutesA read-only network interface is automatically created for the lifecycle of the private endpoint. The interface is assigned a dynamic private IP address from the subnet that maps to the private-link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint.
The private endpoint must be deployed in the same region and subscription as the virtual network.
The private-link resource can be deployed in a different region than the one for the virtual network and private endpoint.
Multiple private endpoints can be created with the same private-link resource. For a single network using a common DNS server configuration, the recommended practice is to use a single private endpoint for a specified private-link resource. Use this practice to avoid duplicate entries or conflicts in DNS resolution.
Multiple private endpoints can be created on the same or different subnets within the same virtual network. There are limits to the number of private endpoints you can create in a subscription. For more information, see Azure limits.
The subscription that contains the private link resource must be registered with the Microsoft network resource provider. The subscription that contains the private endpoint must also be registered with the Microsoft network resource provider. For more information, see Azure Resource Providers.
Private-link resource
A private-link resource is the destination target of a specified private endpoint. The following table lists the available resources that support a private endpoint:
| Private-link resourcename | Resource type | Subresources |
|---|---|---|
| Azure App Configuration | Microsoft.Appconfiguration/configurationStores | configurationStores |
| Azure Automation | Microsoft.Automation/automationAccounts | Webhook, DSCAndHybridWorker |
| Azure Cosmos DB | Microsoft.AzureCosmosDB/databaseAccounts | SQL, MongoDB, Cassandra, Gremlin, Table |
| Azure Batch | Microsoft.Batch/batchAccounts | batchAccount, nodeManagement |
| Azure Cache for Redis | Microsoft.Cache/Redis | redisCache |
| Azure Cache for Redis Enterprise | Microsoft.Cache/redisEnterprise | redisEnterprise |
| Azure Cognitive Services | Microsoft.CognitiveServices/accounts | account |
| Azure Managed Disks | Microsoft.Compute/diskAccesses | managed disk |
| Azure Container Registry | Microsoft.ContainerRegistry/registries | registry |
| Azure Kubernetes Service - Kubernetes API | Microsoft.ContainerService/managedClusters | management |
| Azure Data Factory | Microsoft.DataFactory/factories | dataFactory |
| Azure Data Explorer | Microsoft.Kusto/clusters | cluster |
| Azure Database for MariaDB | Microsoft.DBforMariaDB/servers | mariadbServer |
| Azure Database for MySQL | Microsoft.DBforMySQL/servers | mysqlServer |
| Azure Database for PostgreSQL - Single server | Microsoft.DBforPostgreSQL/servers | postgresqlServer |
| Azure Device Provisioning Service | Microsoft.Devices/provisioningServices | iotDps |
| Azure IoT Hub | Microsoft.Devices/IotHubs | iotHub |
| Azure IoT Central | Microsoft.IoTCentral/IoTApps | IoTApps |
| Azure Digital Twins | Microsoft.DigitalTwins/digitalTwinsInstances | API |
| Azure Event Grid | Microsoft.EventGrid/domains | domain |
| Azure Event Grid | Microsoft.EventGrid/topics | topic |
| Azure Event Hub | Microsoft.EventHub/namespaces | namespace |
| Azure HDInsight | Microsoft.HDInsight/clusters | cluster |
| Azure API for FHIR (Fast Healthcare Interoperability Resources) | Microsoft.HealthcareApis/services | fhir |
| Azure Key Vault HSM (hardware security module) | Microsoft.Keyvault/managedHSMs | HSM |
| Azure Key Vault | Microsoft.KeyVault/vaults | vault |
| Azure Machine Learning | Microsoft.MachineLearningServices/workspaces | amlworkspace |
| Azure Migrate | Microsoft.Migrate/assessmentProjects | project |
| Application Gateway | Microsoft.Network/applicationgateways | application gateway |
| Private Link service (your own service) | Microsoft.Network/privateLinkServices | empty |
| Power BI | Microsoft.PowerBI/privateLinkServicesForPowerBI | Power BI |
| Microsoft Purview | Microsoft.Purview/accounts | account |
| Microsoft Purview | Microsoft.Purview/accounts | portal |
| Azure Backup | Microsoft.RecoveryServices/vaults | vault |
| Azure Relay | Microsoft.Relay/namespaces | namespace |
| Azure Cognitive Search | Microsoft.Search/searchServices | searchService |
| Azure Service Bus | Microsoft.ServiceBus/namespaces | namespace |
| Azure SignalR Service | Microsoft.SignalRService/SignalR | signalr |
| Azure SignalR Service | Microsoft.SignalRService/webPubSub | webpubsub |
| Azure SQL Database | Microsoft.Sql/servers | SQL Server (sqlServer) |
| Azure Storage | Microsoft.Storage/storageAccounts | Blob (blob, blob_secondary) Table (table, table_secondary) Queue (queue, queue_secondary) File (file, file_secondary) Web (web, web_secondary) Dfs (dfs, dfs_secondary) |
| Azure File Sync | Microsoft.StorageSync/storageSyncServices | File Sync Service |
| Azure Synapse | Microsoft.Synapse/privateLinkHubs | web |
| Azure Synapse Analytics | Microsoft.Synapse/workspaces | Sql, SqlOnDemand, Dev |
| Azure App Service | Microsoft.Web/hostingEnvironments | hosting environment |
| Azure App Service | Microsoft.Web/sites | sites |
| Azure Static Web Apps | Microsoft.Web/staticSites | staticSites |
| Azure Media Services | Microsoft.Media/mediaservices | keydelivery, liveevent, streamingendpoint |
| Azure Databricks | Microsoft.Databricks/workspaces | databricks_ui_api, browser_authentication |
Note
You can create private endpoints only on a General Purpose v2 (GPv2) storage account.
Network security of private endpoints
When you use private endpoints, traffic is secured to a private-link resource. The platform validates network connections, allowing only those that reach the specified private-link resource. To access additional sub-resources within the same Azure service, additional private endpoints with corresponding targets are required. In the case of Azure Storage, for instance, you would need separate private endpoints to access the file and blob sub-resources.
Private endpoints provide a privately accessible IP address for the Azure service, but do not necessarily restrict public network access to it. Azure App Service and Azure Functions become inaccessible publicly when they are associated with a private endpoint. All other Azure services require additional access controls, however. These controls provide an extra network security layer to your resources, providing protection that helps prevent access to the Azure service associated with the private-link resource.
Private endpoints support network policies. Network policies enable support for Network Security Groups (NSG), User Defined Routes (UDR), and Application Security Groups (ASG). For more information about enabling network policies for a private endpoint, see Manage network policies for private endpoints. To use an ASG with a private endpoint, see Configure an application security group (ASG) with a private endpoint.
Access to a private-link resource using approval workflow
You can connect to a private-link resource by using the following connection approval methods:
Automatically approve: Use this method when you own or have permissions for the specific private-link resource. The required permissions are based on the private-link resource type in the following format:
Microsoft.<Provider>/<resource_type>/privateEndpointConnectionsApproval/action(Video) Explained Azure Private Link Service and SERVICE Endpoints OverviewManually request: Use this method when you don't have the required permissions and want to request access. An approval workflow will be initiated. The private endpoint and later private-endpoint connections will be created in a Pending state. The private-link resource owner is responsible to approve the connection. After it's approved, the private endpoint is enabled to send traffic normally, as shown in the following approval workflow diagram:
Over a private-endpoint connection, a private-link resource owner can:
- Review all private-endpoint connection details.
- Approve a private-endpoint connection. The corresponding private endpoint will be enabled to send traffic to the private-link resource.
- Reject a private-endpoint connection. The corresponding private endpoint will be updated to reflect the status.
- Delete a private-endpoint connection in any state. The corresponding private endpoint will be updated with a disconnected state to reflect the action. The private-endpoint owner can delete only the resource at this point.
Note
Only private endpoints in an Approved state can send traffic to a specified private-link resource.
Connect by using an alias
An alias is a unique moniker that's generated when a service owner creates a private-link service behind a standard load balancer. Service owners can share this alias offline with consumers of your service.
The consumers can request a connection to a private-link service by using either the resource URI or the alias. To connect by using the alias, create a private endpoint by using the manual connection approval method. To use the manual connection approval method, set the manual request parameter to True during the private-endpoint create flow. For more information, see New-AzPrivateEndpoint and az network private-endpoint create.
Note
This manual request can be auto approved if the consumer's subscription is allow-listed on the provider side. To learn more, go to controlling service access.
DNS configuration
The DNS settings that you use to connect to a private-link resource are important. Existing Azure services might already have a DNS configuration you can use when you're connecting over a public endpoint. To connect to the same service over private endpoint, separate DNS settings, often configured via private DNS zones, are required. Ensure that your DNS settings are correct when you use the fully qualified domain name (FQDN) for the connection. The settings must resolve to the private IP address of the private endpoint.
The network interface associated with the private endpoint contains the information that's required to configure your DNS. The information includes the FQDN and private IP address for a private-link resource.
For complete, detailed information about recommendations to configure DNS for private endpoints, see Private endpoint DNS configuration.
Limitations
The following information lists the known limitations to the use of private endpoints:
Network security group
| Limitation | Description |
|---|---|
| Effective routes and security rules unavailable for private endpoint network interface. | Effective routes and security rules won't be displayed for the private endpoint NIC in the Azure portal. |
| NSG flow logs unsupported. | NSG flow logs unavailable for inbound traffic destined for a private endpoint. |
| No more than 50 members in an Application Security Group. | Fifty is the number of IP Configurations that can be tied to each respective ASG that’s coupled to the NSG on the private endpoint subnet. Connection failures may occur with more than 50 members. |
| Destination port ranges supported up to a factor of 250K. | Destination port ranges are supported as a multiplication SourceAddressPrefixes, DestinationAddressPrefixes, and DestinationPortRanges. Example inbound rule: 1 source * 1 destination * 4K portRanges = 4K Valid 10 sources * 10 destinations * 10 portRanges = 1K Valid 50 sources * 50 destinations * 50 portRanges = 125K Valid 50 sources * 50 destinations * 100 portRanges = 250K Valid 100 sources * 100 destinations * 100 portRanges = 1M Invalid, NSG has too many sources/destinations/ports. |
| Source port filtering is interpreted as * | Source port filtering isn't actively used as valid scenario of traffic filtering for traffic destined to a private endpoint. |
| Feature unavailable in select regions. | Currently unavailable in the following regions: West India Australia Central 2 South Africa West Brazil Southeast |
NSG additional considerations
Outbound traffic denied from a private endpoint isn't a valid scenario, as the service provider can't originate traffic.
(Video) What is Private Endpoint in Azure? | Intro to Private EndpointsThe following services may require all destination ports to be open when leveraging a private endpoint and adding NSG security filters:
- Azure Cosmos DB - For more information, see Service port ranges.
UDR
| Limitation | Description |
|---|---|
| SNAT is recommended at all times. | Due to the variable nature of the private endpoint data-plane, it's recommended to SNAT traffic destined to a private endpoint to ensure return traffic is honored. |
| Feature unavailable in select regions. | Currently unavailable in the following regions: West India UK North UK South 2 Australia Central 2 South Africa West Brazil Southeast |
Application security group
| Limitation | Description |
|---|---|
| Feature unavailable in select regions. | Currently unavailable in the following regions: West India UK North UK South 2 Australia Central 2 South Africa West Brazil Southeast |
Next steps
- For more information about private endpoints and Private Link, see What is Azure Private Link?.
- To get started with creating a private endpoint for a web app, see Quickstart: Create a private endpoint by using the Azure portal.
FAQs
What is Azure private link and private endpoint? ›
Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.
What is a private endpoint in Azure? ›A private endpoint is a special network interface for an Azure service in your Virtual Network (VNet). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage.
What is Azure service endpoint and private endpoint? ›A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
What is the use of private link? ›AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet.
What is private endpoint private link? ›A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.
What is difference between private endpoint and PrivateLink? ›Private Link – The umbrella Azure service under which you can make your PaaS resources available privately on a virtual network. Private Endpoint – The logical Azure resource, a private endpoint, that is mapped to a private IP address.
How do I connect to a private endpoint in Azure? ›- Select Resource groups in the left-hand navigation pane.
- Select myResourceGroup.
- Select myVM.
- On the overview page for myVM, select Connect then Bastion.
- Enter the username and password that you entered during the virtual machine creation.
- Select Connect button.
Public: A service endpoint on the IBM Cloud public network. Private: A service endpoint that is accessible only on the IBM Cloud private network with no access from the public internet. Both public and private: Service endpoints that allow access over both networks.
What is an endpoint and what is it used for? ›Endpoints are physical devices that connect to and exchange information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers.
What are the different types of endpoints? ›- Desktops.
- Laptops.
- Smartphones.
- Tablets.
- Servers.
- Workstations.
- Internet-of-things (IoT) devices.
What is the use of service endpoint in Azure? ›
Virtual Network (VNet) service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts.
Is private link encrypted? ›Data being exchanged over an AWS PrivateLink is also encrypted. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to whitelisted customers.
Is Azure private link secure? ›Private Link provides a secure way to migrate workloads to Azure. Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked.
Is Azure private link encrypted? ›Azure AD protects data by using strong encryption for data at rest and in transit and also salts, hashes, and securely stores user credentials.
How do you make a link endpoint private? ›- In the search box at the top of the portal, enter Private endpoint. ...
- Select + Create.
- In the Basics tab, enter or select the following information: ...
- Select Next: Resource.
- In the Resource tab, enter or select the following information: ...
- Select Next: Virtual Network.
Overall, Azure service endpoint is a more accessible URL that can be used to access your resources from the public internet. Private endpoint is used for resources that need to be accessed only from within your organization.
Does private endpoint disable public access? ›Private endpoint does not restrict public access, however, it is advisable to do so for security purposes as given in document. You can secure your storage account to only accept connections from your VNet, by configuring the storage firewall to deny access through its public endpoint by default.
What are the two types of VPC endpoints? ›- interface endpoints.
- gateway endpoints.
By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet.
Why do we need endpoint protection? ›Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats.
What Azure services support private endpoint? ›
Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Why is it important to protect endpoints? ›The goal of endpoint protection is to prevent cybercriminals from stealing or altering valuable company data and applications, or from hijacking the business network, all of which can grind operations to a halt.
How do I connect private endpoint to App Service? ›To configure private endpoints, click Networking under the settings and then click Private endpoints. In the Private endpoint, connections click the +Add button, on the Add Private Endpoint popup, enter the name for the Private endpoint, choose the Virtual network, select the empty subnet, and then click Ok.
Why is it called an endpoint? ›Simply put, an endpoint is one end of a communication channel. When an API interacts with another system, the touchpoints of this communication are considered endpoints. For APIs, an endpoint can include a URL of a server or service.
What is the difference between URL and endpoint? ›An API endpoint is a digital location where an API receives requests about a specific resource on its server. In APIs, an endpoint is typically a uniform resource locator (URL) that provides the location of a resource on the server.
What is the difference between a device and an endpoint? ›An endpoint is any device that is physically an end point on a network. Laptops, desktops, mobile phones, tablets, servers, and virtual environments can all be considered endpoints. When one considers a traditional home antivirus, the desktop, laptop, or smartphone that antivirus is installed on is the endpoint.
What is endpoint in a simple words? ›1. : a point marking the completion of a process or stage of a process. especially : a point in a titration at which a definite effect (such as a color change) is observed. usually endpoint.
What are the 3 endpoints? ›The three Endpoints refer to three islands in the New World which seals a huge amount of subterranean magma. Should all three islands be destroyed, the seal will be undone, releasing enough magma to wash the entire New World in molten rocks and the lives within.
How do I secure my endpoint? ›- Identify your endpoint. The first step you should take to secure endpoints is cataloging and assessing vulnerabilities. ...
- Data Access Policy. ...
- IoT Security. ...
- Data encryption. ...
- Enforce Bring Your Own Device (BYOD) Policy. ...
- Advanced and Automated Endpoint Protection. ...
- Awareness.
- Managed antivirus software.
- Web filtering.
- Application/patch management.
- Network access control and “need to know”
- Virtual private network (VPN) software.
- Data and email encryption.
What are endpoints in cloud? ›
Endpoints is a distributed API management system. It provides an API console, hosting, logging, monitoring, and other features to help you create, share, maintain, and secure your APIs.
How many endpoints are there in Azure? ›There are three types of endpoint supported by Traffic Manager: Azure endpoints are used for services hosted in Azure. External endpoints are used for IPv4/IPv6 addresses, FQDNs, or for services hosted outside Azure.
What are endpoints of a service? ›A web service endpoint is an entity, processor, or resource that can be referenced and to which web services messages can be addressed. Endpoint references convey the information needed to address a web service endpoint. Clients need to know this information before they can access a service.
Does PrivateLink require VPC peering? ›AWS PrivateLink allows for connectivity to services across different accounts and Amazon VPCs with no need for route table modifications. There is no longer a need to configure an internet gateway, VPC peering connection, or Transit VPC to enable connectivity.
Does private link improve performance? ›Conclusion. AWS Private Link for AWS services is an awesome and very powerful feature. It provides better security and performance, but cost depend upon business case scenario.
Can a hacker see encrypted data? ›Encryption only protects whatever is encrypted, such as your internet connection, email, or files, but it does nothing to prevent you from other online threats. For example, a VPN might encrypt your internet connection, but your online accounts could still get hacked.
Can Azure AD be hacked? ›Cybercriminals can decrypt user passwords and compromise administrator accounts by hacking into Azure AD Connect, the service that synchronizes Azure AD with Windows AD servers. Once inside the system, the attackers can exfiltrate and encrypt an organization's most sensitive data.
What is private link in networking? ›Last Updated:Jun 20, 2022. PrivateLink is used to establish private, stable, and secure connections between virtual private clouds (VPCs) and other Alibaba Cloud services. PrivateLink simplifies network architectures and prevents risks that arise from accessing services over the Internet.
Does Azure have its own VPN? ›Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
What is the difference between PrivateLink and direct connect? ›PrivateLink is similar, but slightly different, to this popular choice. Unlike Direct Connect, PrivateLink is used as a networking construct inside AWS to privately expose a service/application residing in one VPC (that of a service provider) to other consumer VPCs within an AWS Region.
Is Azure safe from ransomware? ›
Microsoft has invested in native security capabilities that make Microsoft Azure resilient against ransomware attacks and helps organizations defeat ransomware attack techniques.
How does Azure private DNS work? ›Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today.
Why use Azure private endpoint? ›Azure private endpoints are used to connect to specific Azure resources by using a private IP address. This connection ensures that network traffic remains within the chosen virtual network and access is available only for specific resources.
What is the Azure equivalent of AWS PrivateLink? ›Similar to AWS PrivateLink, Azure Private Link provides private connectivity from a virtual network to an Azure platform as a service (PaaS) solution, a customer-owned service, or a Microsoft partner service.
What is the difference between Azure P1 and P2? ›Azure AD Premium P1 comes as part of the Office 365/Microsoft 365 E3 suite, and Azure AD Premium P2 is included with the Office 365/Microsoft 365 E5 suite. Microsoft also offers the tiers as a separate purchase; Azure AD Premium P1 costs $6 per user, per month, while Azure AD Premium P2 is $9 per user, per month.
How do I set up a private endpoint in Azure? ›- In the search box at the top of the portal, enter Private endpoint. ...
- Select + Create in Private endpoints.
- In the Basics tab of Create a private endpoint, enter or select the following information. ...
- Select Next: Resource.
- In the Resource pane, enter or select the following information.
Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.
What is AWS PrivateLink endpoint? ›AWS PrivateLink enables you to connect to some AWS services, services hosted by other AWS accounts (referred to as endpoint services), and supported AWS Marketplace partner services, via private IP addresses in your VPC.
What is the difference between Azure Active Directory and Active Directory? ›AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud based environment you can just use Azure AD.
Does every user need a P1 license? ›Yes, the requirement is that the Azure AD Premium P1 license is applied to all users who make use of the feature. Azure AD has always been licensed per user and this applies to all Azure AD features. A proper license is required if a user benefits directly or indirectly from any feature covered by that license.
Why do you need Azure P1? ›
Premium P1
Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities.