Azure Private Link – Step by step guide

In our previous article, we saw how we can implement best practices using Azure Advisor. Check it out in case you have not read the post. In this post, we will learn something about Azure Private Link and how to create it step-by-step.

If your business needs to access data and services privately with security from Microsoft’s own cloud networks then Azure Private Link is the feature to look out for. This service is just released and is in beta stage right now. Using Azure Private Link, businesses using Microsoft’s cloud infrastructure can use services like SQL, Azure Storage or even their own services privately from the Azure virtual networking a way which is scalable and secure. The underlying technology is based on a consumer-provider model where the consumer-provider both are deployed on Azure.

Below are the key highlights of Azure Private Link

  • Azure resource protection by prevention of data infiltration
  • Seamless integration between peer to peer and on-premises resources
  • Traffic remains on MS cloud network with no public internet access providing private connectivity to Azure services

How Azure Private Link works

Here there is no need for any NAT devices, I.P addresses or gateways to communicate with the service. First an agreement based workflow is established between the provider and consumer to create a connection. Once this is created, all data flowing between the consumer and provider instead goes over the Microsoft network and not over the internet.The connection between endpoints are secured by removing exposure to the public internet. For e.g. From a VM, Azure Private Link can provide private connectivity to PaaS services.

Creating an Private Link

Here we will look into an example of creating a private link between a VM and a SQL Server Database.

NOTE: The below steps assume that you have working knowledge of using the Azure portal, creating resources like VMs, etc. and all the steps involved. Also the names which have to be reused in future steps are highlighted below

In this step-by-step guide, we will

  • Create a VM
  • Create a SQL Server Database
  • Create a Private End Point
  • Connect to the VM using Remote Desktop
  • Access the SQL Database privately from the VM via the Private End Point

Create a VM

We first create a VM which will then connect to a SQL database via the private link

  • Login to the Azure portal using your Azure credentials
Azure Portal

Image source: https://docs.microsoft.com/

  • Create a Virtual Network
  • From the Azure Portal, left navigation
    Create a resource > Networking > Virtual network

Enter Name          testVirtualNetwork
Address space      10.1.0.0/16
Subscription         Your subscription name to be selected
Resource group    Create new> enter testResourceGroup>OK
Location                WestCentralUS.
Subnet – Name     testSubnet
Subnet – Address range   10.1.0.0/24

  • Click Create leaving the rest defaults without any changes.
  • Create a VM
  • From the Azure Portal, left navigation
    Create a resource > Compute > Virtual machine
  • Create Virtual Machine  >Basics

Project Details – Select your subscription and Resource group testResourceGroupwhich was created earlier

Instance Details
Virtual machine name    Enter test
VmRegion                         WestCentralUS
Availability options         Leave the default values
Image                               Windows Server 2019 Datacenter
Size                                   Leave the default values Standard DS1 v2

Administrator account
Username                         <<user name>>
Password                         <<password>> (Meet the defined complexity needs)
Confirm Password          Re-enter above entered password

Inbound port rules
Public inbound ports      None

Next > Disks

Create Disks

Leave the defaults filled and click Next> Networking

Create Network

Virtual network                   Default testVirtualNetwork
Address space                       Default 10.1.0.0/24
Subnet                                    Default testSubnet (10.1.0.0/24)
Public IP                                 Default (new) myVm-ip
Public inbound ports          Choose Allow selected ports
Select inbound ports           Choose HTTP and RDP

  • Choose Review + create, portal will redirect you to the page and validate your configuration details

Create a SQL Server Database

Here we create the SQL server which will be accessed by the VM created in the previous step

  1. Login to the Azure portal using your Azure credentials
  2. Create a SQL Database
  3. From the Azure Portal, left navigation

Create a resource > Databases > SQL database>Create SQL database – Basics

Database detailsSelect your subscription and Resource group testResourceGroup which was created earlier

Instance Details
Database name               Enter testdatabase (if not available, create another name which is unique)

  • Server > Create new

Server name                    Enter testserver(if not available, create another name which is unique)
Server admin login         <<user name>>
Password                         <<password>> (Meet the defined complexity needs)
Location                           Choose region where you want the SQL Server

  • Choose OK>Review + create, portal will redirect you to the page and validate your configuration details
  • Choose Create once the validation message is successful

Create a Private End Point

Here we create the private end point via which the above VM will connect to the SQL database

  1. Login to the Azure portal using your Azure credentials
  2. From the Azure Portal, left navigation
    Create a resource > Networking > Private Link Center (Preview)
  3. Under Private Link Center – Overview Build a private connection to a service> Start
  4. Under Create a private endpoint (Preview) – Basics

Project detailsSelect your subscription and Resource group testResourceGroup which was created earlier

Instance Details
Name              Enter * testPrivateEndpoint*
(if not available, create another name which is unique)
Region             Choose WestCentralUS

  • Next > Resource
  • Under Create a private endpoint – Resource

Connection method       Select connect to an Azure resource in my directory
Subscription                    Select subscription
Resource type                  Select Microsoft.Sql/servers
Resource                          Select testserver
Target sub-resource       Select sqlServer

  • Next > Configuration
  • Under Create a private endpoint (Preview) – Configuration

Networking
Virtual network  Select testVirtualNetwork
Subnet                  Select testSubnet

Private DNS Integration
Integrate with private DNS zone    Select Yes
Private DNS Zone                       Select (New) privatelink.database.windows.net

  • Choose Review + create, portal will redirect you to the page and validate your configuration details
  • Choose Create once the validation message is successful

Connect to the VM using Remote Desktop

Now we connect to the VM which we created earlier

  • On Azure portal’s search bar, enter testVm
  • Select Connect  which opens Connect to virtual machine
  • Select Download RDP File to download the .rdpfile, then double click it
  • If prompted, select Connect and then Enter the credentials created when we created the VM in earlier steps
  • Select OK and you might receive a certificate warning, select Yes or Continue.
  • The VM desktop will appears

Access the SQL Database privately from the VM via the Private End Point

This is the last step where we actually access the SQL database from the VM privately using the Azure Private Link

In testVM remote desktop, open PowerShell.
Enter nslookup myserver.database.windows.net.
You’ll receive a message similar to this:
Azure PowerShell
Server:  UnKnown
Address:  <<some I.P>>
Non-authoritative answer:
Name:    myserver.privatelink.database.windows.net
Address:  <<some I.P>>
Aliases:   myserver.database.windows.net

  • Install SQL Server Management Studio.
    • In Connect to server, enter or select this information:

Server type                            Database Engine
Server name                          myserver.database.windows.net
User name                             <<username created during SQL creation>>
Password                               <<password created during SQL creation>>
Remember password           Yes

  • Connect. Now try to see the databases from left menu and try to query something from the testdatabase.
    • Close the remote desktop connection to testVm.
    • The above steps indicate that you have now accessed the SQL database through the VM via the Azure Private Link and not through the public internet.
  • Optional Step – Here you can clean up the resources we created to make sure that by mistake they do not incur any charges.

Summary

In this article, we saw how using Azure Private Link we can securely connect Azure resources and services. Point to be noted that this feature is still in Preview mode and should not be used for Production workloads.

Hope you enjoyed reading this post on Azure Private Link. Thanks for reading and do keep visiting this blog.

Hitesh Boricha

I have a little over a decade experience in the IT industry. Having worked in various roles in this industry, I am passionate about technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.