Private Link and Private Endpoints
Secure access to Azure PaaS services through private endpoints — how they work, planning considerations, configuring access, and Private Link service for custom services.
Private Link and Private Endpoints
By default, Azure PaaS services (SQL Database, Storage, Key Vault) are accessed over the internet using public endpoints. Private endpoints bring those services into your VNet with a private IP address — traffic never leaves Microsoft’s network.
🎬 Video coming soon
Private Link and Private Endpoints
Private Link and Private Endpoints
~13:00Private Link brings Azure services inside your VNet — instead of connecting to Azure SQL over the internet, you connect over a private IP in your own network. Azure builds a private tunnel directly into your building. You never leave your network.
How Private Endpoints Work
🔒 Aisha’s scenario: Sentinel Banking’s compliance team says Azure SQL Database must not be accessible from the internet — only from within the corporate VNet.
Aisha creates a private endpoint for her SQL Database:
- A network interface (NIC) is created in her subnet with a private IP (e.g., 10.20.5.4)
- This NIC is mapped to a specific resource (her SQL Database instance)
- When applications connect to
sentinel-db.database.windows.net, DNS resolves to 10.20.5.4 instead of the public IP - Traffic stays on Microsoft’s backbone — never touches the internet
What a private endpoint creates:
- A NIC with a private IP in your chosen subnet
- A network-level mapping to a specific Azure resource (or sub-resource type like blob, file, queue, or table for Storage)
- The private endpoint NIC gets a private IP — the PaaS resource itself does not move into your VNet
Planning Considerations
| Factor | Detail |
|---|---|
| Subnet sharing | Private endpoints can share a subnet with other resources (VMs, other PEs). No dedicated subnet required. |
| NSG support | NSG rules now apply to private endpoint traffic (this was not always the case — exam may reference it). |
| One resource per PE | Each private endpoint maps to one specific resource or sub-resource. |
| Cross-region | You can create a PE in a different region than the target resource. |
| Cross-subscription | PE can be in a different subscription than the target resource (with approval). |
| Approval | Auto-approved if you own the resource. Manual approval required if created by a different tenant. |
| DNS | Critical — without proper DNS, the FQDN resolves to the public IP, bypassing the PE. |
Exam Tip: Private endpoints now support NSG rules — you can control traffic to private endpoints with network security groups. This is a feature that was added later and the exam tests that you know it’s supported.
Configuring Access
After creating a private endpoint, you should also restrict the public endpoint:
| Configuration | Effect |
|---|---|
| Disable public access | Only private endpoint connections are accepted. No internet access at all. |
| Restrict public access | Allow only specific IPs or VNets via service firewall, plus private endpoints. |
| Keep both | Public and private endpoints both work. Not recommended for sensitive resources. |
🔒 Aisha’s approach: She creates the private endpoint for SQL Database, verifies connectivity from her VNet works, then disables public access on the SQL Server. Now the database is only reachable through the private endpoint.
Private Link Service
Private Link service is the provider side — it lets you expose your own service (behind a Standard Load Balancer) to other subscriptions or tenants through Private Link.
How it works:
- Provider (you) deploys a service behind a Standard Internal Load Balancer
- Provider creates a Private Link service resource linked to the LB
- Consumer (another team, subscription, or tenant) creates a private endpoint pointing to your Private Link service
- Traffic flows: Consumer’s VNet → Private Endpoint → Microsoft backbone → Private Link service → Your Load Balancer → Your backend
Use cases:
- SaaS providers offering services to customers’ VNets
- Internal shared services exposed to other business units’ subscriptions
- Partner integrations without public internet exposure
🏢 Ravi’s scenario: Pinnacle Financial’s shared services team runs an internal API behind a Standard Internal Load Balancer. They create a Private Link service so the Finance and HR teams (in different subscriptions) can create private endpoints to access the API without any public internet exposure.
Private Endpoint vs Private Link Service
These are two sides of the same coin:
| Aspect | Private Endpoint | Private Link Service |
|---|---|---|
| Who creates it | The consumer (accessing the service) | The provider (exposing the service) |
| What it does | Creates a private IP to reach a service | Exposes a service for PE consumption |
| Works with | Azure PaaS services AND custom Private Link services | Your own services behind Standard Internal LB |
| Direction | Consumer creates PE to access provider | Provider creates PLS to be accessed |
For Azure PaaS (SQL, Storage, Key Vault), you only need a private endpoint — Microsoft has already created the Private Link service on their side.
For your own custom services, you create both: the Private Link service (provider side) and consumers create private endpoints (consumer side).
| Feature | Private Endpoint | Service Endpoint |
|---|---|---|
| IP type | Private IP in your VNet (NIC created in subnet) | Service keeps its public IP (optimised route) |
| DNS changes | Required — must configure private DNS zone for resolution | None — same FQDN resolves to same public IP |
| On-premises access | Yes — reachable over VPN or ExpressRoute with DNS | No — only works from within VNet subnets |
| Cost | Per-hour charge plus per-GB data processed | Free |
| Data exfiltration protection | Strong — PE maps to a specific resource instance | Limited — service endpoint policies for Azure Storage only |
| Cross-region support | Yes — PE can be in a different region than the service | No — same region as the VNet only |
| Setup complexity | Medium — PE resource, DNS zone, VNet links | Simple — enable on subnet, add VNet rule on service firewall |
Key Takeaways
- Private endpoints bring Azure services into your VNet with a private IP
- NSG rules are supported on private endpoints
- Always configure DNS correctly — without it, the PE is bypassed
- Disable public access after verifying PE connectivity
- Private Link service lets you expose your own services for PE consumption
Test Your Knowledge
Aisha creates a private endpoint for Azure SQL Database but doesn't configure DNS. What happens when she connects to sentinel-db.database.windows.net?
Ravi wants to expose his internal API (behind a Standard Internal LB) to other subscriptions via Private Link. What does he need to create?
Next up: Private Endpoint DNS — The critical DNS configuration that makes private endpoints actually work.