Azure Private Link and Private Endpoints
In GCP. VPC Endpoints and Private Google Access are closely related as described here. In Azure as well, Private Link and Private Endpoints are part of the same 'Privatizing PaaS' offering. Keep in mind that ASE is another option on Azure for using a private version of your Azure App Service. ASE is fully isolated for running App Service apps at scale, and may be a viable option if cost is not a factor.
This post will discuss Azure Private Link as the more commonly used approach for 'disabling' public access to PaaS services on Azure.
Private Link is a service that lets you create and manage private endpoints. This is best understood via an example
Example - Set up a private endpoint for azure storage blob service
- Navigate to Private Link Center and select "Create private endpoint." (this is what I mean by Private Link lets you create Private endpoints)
- Enter the subscription, resource group, and a name and region for the private endpoint.
- Select "Connect to an Azure resource in my directory," then select the subscription and "Microsoft.Storage/
storageAccounts" as the resource type. - Select the name of the target resource, and then specify the target sub-resource. For storage, this can be
blob
,blob_secondary
,table
, table_secondary
,dfs
, anddfs_secondary
. - Select the VNet and subnet the endpoint should be deployed to.
Overview of Azure Private Link and Private Endpoints (for PaaS services)
Azure Private Link Service also goes hand in hand with Private Endpoints.
- The Private Link Service is defined at the VNET level.
- The endpoints are defined for each Azure PaaS Service.
- Defining an endpoint requires using the Private Link Service.
Additional Use Case - Partner Users that want to use YOUR service (e.g. your Azure Storage)
- By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link.
- The consumer can then connect directly to your service using a private endpoint in their own virtual network.
- You can manage the connection requests using an approval call flow.
- Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants.
What is a Private Endpoint? (Bringing your PaaS Service inside your VNET)
For instance, every storage account has a public endpoint that by default is open to clients on any network. With a private endpoint, you can assign the storage account a private IP address from a VNet, and a virtual machine (VM) in that VNet can access the storage account without going over the internet. This is powerful because it means you don't need to use public IP addresses, either at the traffic source or destination. It's as if you're bringing the storage account inside the VNet.
What is the difference between Azure Private Link and Private Endpoints?
They are similar but different. One is a SERVICE (PaaS), the other is an actual Network Interface (think IaaS)
Azure VNet Service Endpoints and Azure Private Endpoints (powered by Azure Private Link) both promote network security by allowing VNet traffic to communicate with service resources without going over the internet, but there are some differences.
Azure Private Link
Azure Private Link is a service that allows virtual network resources to privately connect to other resources as if they were part of the same network, carrying traffic across the Microsoft Azure backbone instead of the internet.
To take advantage of this service, you create a Private Link private endpoint.
Azure Private Endpoint
A private endpoint is a network interface that provides a private IP address to a service that would normally only be accessible to a VNet via public IP address.
For instance, every storage account has a public endpoint that by default is open to clients on any network. With a private endpoint, you can assign the storage account a private IP address from a VNet, and a virtual machine (VM) in that VNet can access the storage account without going over the internet. This is powerful because it means you don't need to use public IP addresses, either at the traffic source or destination. It's as if you're bringing the storage account inside the VNet.
What happens to the Public Endpoint for the Service?
The storage account still has a public endpoint, of course -- it doesn't go away just because you're not using it.
So if desired, you can block all traffic to its public endpoint, further shielding it from network vulnerability.
Use Cases for Private Endpoints
Private endpoints can be enabled for two different categories of service:
- Azure PaaS services such as Azure Storage, Azure SQL Database, Azure Key Vault, and more. See the full list here. For example, you can create an endpoint to securely connect a VM in a private subnet to a storage account. After creating a private IP address for the storage account, you can choose to block access to its public endpoint, so the only traffic that can reach it comes from the sanctioned subnet via the private endpoint.
Without a private endpoint, the VM would need to be assigned a public IP address, exposing it to the internet and all the threats that go along with it; the subnet would need a NAT or gateway device, requiring an extra step of configuration and potentially slowing traffic; the storage account would need to be open to clients on any network, so if credentials are leaked, anyone on the internet can access it. Not good!
- Your own service, if it's running behind a standard load balancer. This is called a private link service, and you'll want to create one if you have customers who need to privately connect to your service from within their own VNet. After you've enabled your private link service, consumers create a private endpoint in their virtual network and send a request to connect to your service.
Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply