Configure private endpoints for Azure services

Posted on by zeusexam

Configure private endpoints for Azure services
Private endpoints take the concept of service endpoints one step further. In the same scenario of a VM in subnet0 trying to communicate with a storage account, in addition to using a pri- vate IP address as the source IP address, the destination IP address will also be private. Private endpoints create a dedicated network interface for the specific PaaS service resource that you create it for and make that interface accessible from the subnet that you configure.
In this example, suppose you create a private endpoint for blob storage in the storage account. You could create that private endpoint in the same subnet, subnet0, that the VM is associated with. The VM NIC might have an IP address of 10.0.0.4/24, and the private endpoint for blob storage could be 10.0.0.5/24. When the VM connects to the endpoint of the blob stor- age, the DNS name resolves from the VNet to the private IP address of the private endpoint.
Therefore, all communication uses private IP addresses as both the source and the destination.
You can typically create a private endpoint directly from the resource you want to config- ure it on, or from the Private Link Center. To create a private endpoint for blob storage, follow these steps:

  1. From the Azure portal, search for Private endpoints.
  2. On the Private Endpoints blade, click Create.
  3. On the Basics tab of the Create A Private Endpoint blade, select your subscription, resource group, and region. Then provide a name for the endpoint, such as
    “pe-blobstorage1.” The network interface should autopopulate with a name based on the resource name. Figure 4-40 displays the Basics tab.
  4. Click Next: Resource.
  5. On the Resource tab, select the Azure PaaS resource that you want to create the private endpoint for. In this example, select Microsoft.Storage/storageAccounts as the resource type, a storage account as the resource, and blob as the target subresource, as shown in Figure 4-41.

FIGURE 4-40 The Basics tab of the Create A Private Endpoint blade

FIGURE 4-41 The Resource tab of the Create A Private Endpoint blade

  1. Click Next: Virtual network.
  2. On the Virtual Network tab, select the VNet and subnet that you want the private endpoint to be associated with. In the example shown here, vnet-hub is selected for the VNet and subnet0 as the subnet. By default, an IP address will be allocated to the private endpoint dynamically, as shown in Figure 4-42.

FIGURE 4-42 The Virtual Network tab of the Create A Private Endpoint blade

  1. Click Next: DNS.
  2. On the DNS tab, choose whether to integrate the private endpoint network interface with a DNS zone. This is recommended so that the private IP address is resolved when accessing the storage account, as shown in Figure 4-43.

FIGURE 4-43 The DNS tab of the Create A Private Endpoint blade

  1. Accept the remaining defaults on the Tags and Review + Create tabs to create the private endpoint. After the private endpoint is created, you can view the private IP address that was associated with the private endpoint network interface, as shown in Figure 4-44.

FIGURE 4-44 Private endpoint resource

Leave a Reply

Your email address will not be published. Required fields are marked *