Skip to content

Azure Private EndpointsπŸ”—

πŸ”’ What is an Azure Private Endpoint?πŸ”—

  • A private endpoint is a network interface in your Virtual Network (VNet) that connects you privately and securely to an Azure service.
  • Instead of accessing the service (e.g., Storage, SQL Database, Cosmos DB, Key Vault) via a public IP, traffic flows through a private IP inside your VNet.
  • Uses Azure Private Link technology.

πŸ›  How It WorksπŸ”—

  1. You create a Private Endpoint for a resource (like a Storage Account).
  2. Azure assigns a private IP from your VNet to this endpoint.
  3. Your VNet traffic β†’ goes through this private IP β†’ securely reaches the Azure service β†’ without leaving Microsoft’s backbone network.
  4. The service’s public endpoint is still there, but you can restrict/block it.

πŸ“‚ Example: Azure Storage with Private EndpointπŸ”—

  • You have a Storage Account mystorage.blob.core.windows.net.
  • Normally, you’d connect via the public internet using that FQDN.
  • With a Private Endpoint, Azure will map:
mystorage.privatelink.blob.core.windows.net β†’ 10.1.0.5  (private IP inside your VNet)
  • So apps in your VNet access Storage via private IP.
  • You can then disable all public access to the Storage Account for max security.

βœ… BenefitsπŸ”—

  • Security: No public internet exposure.
  • Compliance: Meets strict data residency/security requirements.
  • Integration: Works with Azure PaaS (Storage, SQL, Cosmos DB, Key Vault, etc.) and your own services behind Azure Standard Load Balancer.

βš™οΈ Configuration Steps (High-Level)πŸ”—

  1. Create a VNet & Subnet.

  2. Create a Private Endpoint:

  3. Choose target service (e.g., Storage Account β†’ Blob).

  4. Pick the VNet + subnet.
  5. A NIC with private IP gets created.

  6. Update DNS:

  7. Ensure the service FQDN resolves to the private IP (via Azure Private DNS Zone).

  8. Restrict Public Access:

  9. Disable public network access on the resource.

πŸš€ Azure CLI ExampleπŸ”—

# Create Private Endpoint for Storage Account
az network private-endpoint create \
  --name mystorage-pe \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --subnet mySubnet \
  --private-connection-resource-id $(az storage account show -n mystorage -g myResourceGroup --query id -o tsv) \
  --group-id blob \
  --connection-name mystorage-connection

# Link Private DNS Zone
az network private-dns zone create -g myResourceGroup -n "privatelink.blob.core.windows.net"
az network private-dns link vnet create -g myResourceGroup -n "link-myvnet" -z "privatelink.blob.core.windows.net" -v myVNet -e true

ArchitectureπŸ”—

image

🌍 Real-World Use CasesπŸ”—

  • Connect Azure SQL Database from on-prem β†’ via ExpressRoute/VPN + private endpoint (no internet).
  • Secure Azure Storage for Databricks / Synapse pipelines.
  • Access Key Vault privately from inside a VNet.

Easier ExplanationπŸ”—

In Azure, a Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link.

Instead of accessing services over the public internet, a private endpoint lets you access them through your virtual network (VNet) using private IP addresses.

πŸ”‘ Key PointsπŸ”—

  1. Private IP – The service (e.g., Azure Storage, SQL Database, Key Vault, etc.) gets a private IP inside your VNet.
  2. No Public Exposure – Traffic stays within the Microsoft backbone network instead of going over the internet.
  3. DNS Integration – You use private DNS zones so that service names (e.g., mystorageaccount.blob.core.windows.net) resolve to the private IP.
  4. Secure Access – Only resources in your VNet (or peered VNets) can connect to the service.
  5. Isolation – You can disable all public access to the service and allow only private endpoint traffic.

βœ… Example ScenariosπŸ”—

  • Azure Storage Account: Instead of accessing a blob container over the internet, a private endpoint gives your VM a private IP connection.
  • Azure SQL Database: Applications inside your VNet can connect privately without opening public firewall rules.
  • Azure Key Vault: Secrets can be retrieved over a private IP, protecting against data exfiltration.

πŸ“Š How it worksπŸ”—

  1. You create a Private Endpoint in your VNet.
  2. Azure assigns a private IP from your VNet to that endpoint.
  3. When your application resolves the service’s FQDN, it gets the private IP (via DNS configuration).
  4. The traffic routes securely through Azure Private Link (Microsoft backbone).

πŸ‘‰ Think of it like this: Instead of going out to the internet and back into Azure services, Private Endpoints bring the service into your VNet using a private IP.

Private Endpoints vs Serivce EndpointsπŸ”—

Perfect question πŸ‘ β€” this comes up a lot in interviews. Let’s break it down:

πŸ”Ή Private Endpoint vs. Service EndpointπŸ”—

Feature Private Endpoint Service Endpoint
Connectivity Connects to the service using a private IP inside your VNet. Extends your VNet identity to the service’s public IP. Traffic still flows to the service’s public endpoint.
Security Service can be locked down to only allow private endpoints β†’ No public exposure. Service is still reachable on the public internet, but limited to specific VNet/subnet(s).
Traffic Path Goes through Azure backbone via Private Link β†’ never leaves the Microsoft network. Still reaches the service’s public endpoint, but Azure ensures it stays on the backbone (doesn’t traverse the open internet).
DNS Requirement Needs DNS zone integration so service FQDN resolves to the private IP. No DNS changes needed (uses public IP).
Granularity Works at the instance level (e.g., a specific storage account, SQL DB, Key Vault). Works at the service level (all storage accounts in a region, etc.).
Access Control You can disable public access completely and force all traffic through private endpoint. Public access is still available unless explicitly restricted.
Cost Additional cost for Private Link/Private Endpoint. No extra cost (free).
Use Cases High-security workloads, regulatory compliance, zero-trust architectures. Simpler setup when you just want secure connectivity without exposing entire internet.

πŸ“Œ ExampleπŸ”—

  • If you have an Azure SQL Database:

  • Private Endpoint β†’ Your app in VNet connects to SQL over a private IP. You can block all public access.

  • Service Endpoint β†’ Your app connects over SQL’s public IP, but Azure recognizes it’s coming from your VNet and allows it.

πŸ‘‰ In short:

  • Private Endpoint = Private IP, highest security, service instance–level.
  • Service Endpoint = Public IP, simpler, service-level restriction.

AnalogyπŸ”—

Great β€” let’s make this real-world and easy to remember πŸ‘‡

🏠 Analogy: Private Endpoint vs Service EndpointπŸ”—

Private Endpoint (VIP Door Inside Your House)πŸ”—

  • Imagine you hire a bank (Azure service) to keep your valuables.
  • Instead of visiting their public branch office (internet), the bank builds a special private door inside your house that directly connects to your locker.
  • Only you (inside your house / VNet) can use it.
  • Outsiders can’t even see the locker’s public branch anymore (because you can disable public access).
  • More secure, but costs extra (you’re paying for that VIP private door).

Service Endpoint (Fast Lane to the Bank Branch)πŸ”—

  • You still go to the public branch office (public IP of service).
  • But the bank recognizes you as a VIP customer from your gated community (VNet/subnet).
  • They let you skip the long queue and give you a secure corridor directly into the branch.
  • Others can still access the branch (public access remains).
  • Free and simpler, but less private than the β€œdoor inside your house.”

🎯 Quick MnemonicπŸ”—

  • Private Endpoint = Private Door (service inside your VNet)
  • Service Endpoint = VIP Lane (still public, just secured to your VNet)

ExampleπŸ”—

Great question β€” let’s go through an Azure Private Link example step by step.

πŸ”Ή What is Azure Private Link?πŸ”—

Azure Private Link lets you access Azure services over a private IP address inside your Virtual Network (VNet).

  • Without Private Link β†’ your app connects to a public endpoint (internet-exposed).
  • With Private Link β†’ your app connects to a private endpoint (private IP in your VNet), but traffic still reaches the Azure service securely over Microsoft’s backbone network.

πŸ”Ή Example ScenarioπŸ”—

You have:

  • An App VM in a Virtual Network.
  • An Azure Storage Account.

πŸ‘‰ You want the VM to connect to the storage account securely without going over the public internet.

πŸ”Ή Step-by-Step SetupπŸ”—

1. Create a VNet + VMπŸ”—

# Create resource group
az group create -n myRG -l eastus

# Create VNet + subnet
az network vnet create \
  --name myVNet \
  --resource-group myRG \
  --address-prefix 10.0.0.0/16 \
  --subnet-name mySubnet \
  --subnet-prefix 10.0.1.0/24

# Create VM in VNet (Linux example)
az vm create \
  --resource-group myRG \
  --name myVM \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys \
  --vnet-name myVNet \
  --subnet mySubnet

2. Create a Storage AccountπŸ”—

az storage account create \
  --name mystoragepldemo \
  --resource-group myRG \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

3. Create a Private EndpointπŸ”—

This links the storage account to your VNet with a private IP.

az network private-endpoint create \
  --resource-group myRG \
  --name myPrivateEndpoint \
  --vnet-name myVNet \
  --subnet mySubnet \
  --private-connection-resource-id $(az storage account show \
        --name mystoragepldemo \
        --resource-group myRG \
        --query "id" -o tsv) \
  --group-id blob \
  --connection-name myConnection
  • --group-id blob β†’ connects specifically to Blob service.
  • A private IP (like 10.0.1.4) is assigned inside mySubnet.

4. Configure Private DNSπŸ”—

Private endpoints require DNS to resolve the storage account name to the private IP.

az network private-dns zone create \
  --resource-group myRG \
  --name "privatelink.blob.core.windows.net"

az network private-dns link vnet create \
  --resource-group myRG \
  --zone-name "privatelink.blob.core.windows.net" \
  --name MyDNSLink \
  --virtual-network myVNet \
  --registration-enabled false

az network private-endpoint dns-zone-group create \
  --resource-group myRG \
  --endpoint-name myPrivateEndpoint \
  --name MyZoneGroup \
  --private-dns-zone "privatelink.blob.core.windows.net" \
  --zone-name "privatelink.blob.core.windows.net"

Now, mystoragepldemo.blob.core.windows.net resolves to the private IP (10.0.x.x) inside your VNet.

A Record mystorageacct.blob.core.windows.net β†’ 10.0.1.4 created in the DNS

5. Test from VMπŸ”—

SSH into the VM:

ssh azureuser@<public-ip-of-vm>

Test DNS resolution:

nslookup mystoragepldemo.blob.core.windows.net

βœ… Should resolve to 10.0.1.x (private IP).

Test connectivity:

curl https://mystoragepldemo.blob.core.windows.net/

Traffic goes through the private endpoint, not the public internet.

πŸ”Ή Real-World UsesπŸ”—

  • Databricks accessing ADLS Gen2 over private link.
  • SQL Database private endpoint to keep DB off the public internet.
  • Key Vault private endpoint so secrets are only accessible in-VNet.
  • App Service β†’ Storage Account private integration.

πŸ”Ή Key BenefitsπŸ”—

  • Removes exposure to public internet.
  • Simplifies network security (no IP whitelisting).
  • Uses Microsoft’s backbone network for traffic.
  • Works with Azure Monitor logs to track connections.