Private Link

Question

Part of my Azure Architecture I am implementing Hub and Spoke Topology. I am somewhat confused on certain element of Private Link.

I have 2 Resource Groups and I intend to have a Hub and Spoke topology with 1 Resource Group with 3 VNETs (1 Hub and 2 Spokes) and another Resource Group will have 1 VNET (Spoke) and I intend to have Private Link for all Azure Resources such as Azure SQL Database and Blob Storage.

The Hub VNET contains Application Gateway and Azure Firewall.
The Spokes will contain Azure Resources such as Azure SQL Database and Blob Storage.
Do I need to configure the Private DNS.

1) Does the Azure Resources such as Azure SQL and Azure Blob Storage need to be in the VNET for the Azure Private Link to work.
2) How do you connect to Azure SQL or Blob Storage if they have private link do you need a Client VM in the Hub.
3) I have Azure Firewall in my Hub is my understanding correct I wouldn't need Azure Firewall if I am using Private Link?

Answer 1

Hello @KaisMalique-9406 ,

You can use the following options to configure your DNS settings for private endpoints:

1. Use the host file (only recommended for testing)
2. Use a private DNS zone.
3. Use your DNS forwarder (optional).

Please refer the below article for more information:
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration

1) Does the Azure Resources such as Azure SQL and Azure Blob Storage need to be in the VNET for the Azure Private Link to work.
A) No, Azure Resources such as Azure SQL and Azure Blob Storage doesn't need to be in the VNET for the Azure Private Link to work. Private endpoint enables connectivity between the consumers from the same VNet, regionally peered VNets, globally peered VNets and on premises using VPN or Express Route and services powered by Private Link.
Please refer : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

2) How do you connect to Azure SQL or Blob Storage if they have private link do you need a Client VM in the Hub.
A) Yes, you will need a client VM to test connectivity to Azure SQL or Blob Storage via Private link.
Please refer : https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal
https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal

3) I have Azure Firewall in my Hub is my understanding correct I wouldn't need Azure Firewall if I am using Private Link?
A) Private endpoints enable Azure resources deployed in a virtual network to communicate privately with private link resources. It also extend the connectivity by allowing access to the private endpoint through virtual network peering and on-premises network connections. So, in general Azure Firewall is not needed but if you need to inspect or block traffic from clients to the services exposed via private endpoints, then you can complete this inspection by using Azure Firewall. It is upto your requirement.
Please refer : https://learn.microsoft.com/en-us/azure/private-link/inspect-traffic-with-azure-firewall

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi seems too obvious but did you have a look to this page ? https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke