Azure Private Endpoints

Go back to AZ-304 Tutorials

Azure Private Endpoints provide secure connectivity to Azure services over a private endpoint in a Virtual Network (VNet). They allow you to access Azure services such as Azure Storage, Azure Cosmos DB, Azure SQL Database, and others, from your VNet, without the need for public internet connectivity.

When you create a private endpoint for an Azure service, a private IP address is assigned to it in the VNet. This private IP address is then used to connect to the Azure service. All traffic between the private endpoint and the Azure service travels over the Microsoft backbone network, which helps to ensure that traffic stays within the Microsoft network and is not exposed to the public internet.

Azure Private Endpoints also provide additional security features such as network security groups (NSGs), which allow you to restrict traffic to and from the private endpoint. Additionally, you can use Azure Private DNS Zones to resolve the Azure service’s FQDNs to their private IP addresses, which provides an extra layer of security and ensures that traffic is not accidentally routed through the public internet.

Private Endpoint properties

Private Endpoints in Azure have the following properties:

Name: A user-defined name for the private endpoint.
Resource ID: The unique identifier for the Azure service that the private endpoint is being created for.
Group ID: The unique identifier for the resource group that contains the Azure service that the private endpoint is being created for.
Virtual Network (VNet): The VNet that the private endpoint is associated with.
Subnet: The subnet within the VNet that the private endpoint is associated with.
Private IP Address: The private IP address assigned to the private endpoint within the VNet.
Network Security Group (NSG): The NSG associated with the private endpoint, which can be used to control traffic to and from the endpoint.
DNS Name: The DNS name associated with the private endpoint.
Resource Type: The type of Azure service that the private endpoint is being created for, such as Azure Storage or Azure SQL Database.
Status: The current status of the private endpoint, which can be “Pending,” “Approved,” or “Rejected.”
Provisioning State: The current state of the private endpoint’s provisioning process, which can be “Creating,” “Updating,” or “Deleting.”
Private Link Service Connection State: The connection state of the private endpoint to the Private Link service, which can be “Pending,” “Approved,” “Rejected,” or “Disconnected.”

These properties can be managed and configured through the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API.

Network security of private endpoints

Network security is a key aspect of Azure Private Endpoints, as they provide a secure way to access Azure services from your VNet, without the need for public internet connectivity. Here are some of the ways in which Azure Private Endpoints help to enhance the network security of your applications:

Private IP Addressing: Azure Private Endpoints are associated with private IP addresses in your VNet, which are not routable over the public internet. This ensures that your traffic stays within the Microsoft network and is not exposed to the public internet.
Network Security Groups: You can use Network Security Groups (NSGs) to control traffic to and from your private endpoint. NSGs allow you to define inbound and outbound security rules to restrict traffic to specific ports and protocols.
Private Link: Azure Private Link is a technology that allows you to access Azure services over a private endpoint, without requiring a public IP address. Private Link provides an additional layer of security by enabling you to use your own DNS name and SSL/TLS certificate for the private endpoint.
Service Endpoints: Azure Service Endpoints enable you to secure your Azure services by restricting access to a specific VNet. This ensures that traffic from your VNet to the Azure service stays within the Microsoft network and is not exposed to the public internet.
Private DNS Zones: Azure Private DNS Zones allow you to map a custom DNS name to a private IP address. This provides an extra layer of security by ensuring that your traffic stays within the Microsoft network and is not accidentally routed through the public internet.

Accessing to a private link resource using approval workflow

You can connect to a private link resource using the connection approval methods such as:

Firstly, Automatically approved, that is to say, when you own or have permission on the specific private link resource then the permission required is based on the private link resource type in the following format: Microsoft.<Provider>/<resource_type>/privateEndpointConnectionApproval/action
Secondly, Manual request means when you don’t have the permission required and would like to request access. However, the private endpoint and subsequent private endpoint connection will create in a “Pending” state. After approval, the private endpoint is enabled to send traffic normally.

The private link resource owner can perform various actions over a private endpoint connection that include:

Firstly, reviewing all private endpoint connections details.
Secondly, approving a private endpoint connection. In this, the corresponding private endpoint will have access to send traffic to the private link resource.
Thirdly, rejecting a private endpoint connection. In this, the corresponding private endpoint will update to reflect the status.
Lastly, deleting a private endpoint connection in any state. However, the corresponding private endpoint will get an update for a disconnected state for reflecting the action.

AZ-304 Exam Practice Questions

Question: You have an Azure SQL database that you need to access from a VNet. You want to ensure that traffic stays within the Microsoft network and is not exposed to the public internet. Which Azure feature should you use?

A) Azure Virtual Network (VNet)

B) Azure Private Endpoint

C) Azure ExpressRoute

D) Azure Service Endpoint

Answer: b) Azure Private Endpoint.

Explanation: Azure Private Endpoint provides a secure and private way to access Azure services from your VNet, without the need for public internet connectivity.

Question: You have created a private endpoint for an Azure Storage account in your VNet. You want to restrict traffic to and from the private endpoint using NSGs. Which of the following should you configure?

A) The Azure Storage account firewall settings

B) The NSGs associated with the VNet

C) The NSGs associated with the private endpoint

D) The NSGs associated with the Azure Storage account

Answer: c) The NSGs associated with the private endpoint.

Explanation: You can use NSGs to control traffic to and from your private endpoint, which are associated with the private endpoint itself.

Question: You have created a private endpoint for an Azure Cosmos DB account in your VNet. You want to ensure that traffic to the private endpoint uses your own DNS name and SSL/TLS certificate. Which Azure feature should you use?

A) Azure Private DNS Zones

B) Azure Private Link

C) Azure Service Endpoints

D) Azure Virtual Network (VNet)

Answer: b) Azure Private Link.

Explanation: Azure Private Link is a technology that allows you to access Azure services over a private endpoint, without requiring a public IP address. Private Link provides an additional layer of security by enabling you to use your own DNS name and SSL/TLS certificate for the private endpoint.

Question: You want to access an Azure SQL database from a VNet using a private endpoint. However, the private endpoint status is “Rejected.” What could be the reason for this?

A) The private endpoint has not been created correctly.

B) The Azure SQL database is not supported for private endpoints.

C) The Azure SQL database firewall settings are not configured correctly.

D) The NSGs associated with the private endpoint are not configured correctly.

Answer: c) The Azure SQL database firewall settings are not configured correctly.

Explanation: When you create a private endpoint for an Azure SQL database, you need to ensure that the firewall settings are configured correctly to allow traffic from the VNet to the private endpoint.

Question: You have a web application running in a VNet that needs to access an Azure Storage account. You want to ensure that traffic stays within the Microsoft network and is not exposed to the public internet. Which Azure feature should you use?