Integrate Azure Relay with Azure Private Link

Azure Private Link Service enables you to access Azure services (for example, Azure Relay, Azure Service Bus, Azure Event Hubs, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a private endpoint in your virtual network. For more information, see What is Azure Private Link?

A private endpoint is a network interface that allows your workloads running in a virtual network to connect privately and securely to a service that has a private link resource (for example, a Relay namespace). The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute, VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can provide a level of granularity in access control by allowing connections to specific Azure Relay namespaces.

Note

If you use the relay listener over a private link, open ports 9400-9599 for outgoing communication along with the standard relay ports. Note that you need to do this step only for the relay listener.

Add a private endpoint using Azure portal

Prerequisites

To integrate an Azure Relay namespace with Azure Private Link, you need the following entities or permissions:

• An Azure Relay namespace.
• An Azure virtual network.
• A subnet in the virtual network.
• Owner or contributor permissions on the virtual network.

Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it will automatically filter only virtual networks that are in that region. Your namespace can be in a different region.

Your private endpoint uses a private IP address in your virtual network.

Steps

For step-by-step instructions on creating a new Azure Relay namespace and entities in it, see Create an Azure Relay namespace using the Azure portal.

1. Sign in to the Azure portal.

2. In the search bar, type in Relays.

3. Select the namespace from the list to which you want to add a private endpoint.

4. On the left menu, select the Networking tab under Settings.

5. Select the Private endpoint connections tab at the top of the page

6. Select the + Private Endpoint button at the top of the page.

   

7. On the Basics page, follow these steps:

   1. Select the Azure subscription in which you want to create the private endpoint.

   2. Select the resource group for the private endpoint resource.

   3. Enter a name for the private endpoint.

   4. Enter a name for the network interface.

   5. Select a region for the private endpoint. Your private endpoint must be in the same region as your virtual network, but can be in a different region from the Azure Relay namespace that you're connecting to.

   6. Select Next: Resource > button at the bottom of the page.

      

8. Review settings on the Resource page, and select Next: Virtual Network.

   

9. On the Virtual Network page, select the virtual network and the subnet where you want to deploy the private endpoint. Only virtual networks in the currently selected subscription and location are listed in the drop-down list.

   

   You can configure whether you want to dynamically allocate an IP address or statically allocate an IP address to the private endpoint

   You can also associate a new or existing application security group to the private endpoint.

10. Select Next: DNS to navigate to the DNS page of the wizard. On the DNS page, Integrate with private DNZ zone setting is enabled by default (recommended). You have an option to disable it.

    

    To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private endpoint with a private DNS zone. You can also utilize your own DNS servers or create DNS records using the host files on your virtual machines. For more information, see Azure Private Endpoint DNS Configuration.

11. Select Next: Tags > button at the bottom of the page.

12. On the Tags page, create any tags (names and values) that you want to associate with the private endpoint and the private DNS zone (if you had enabled the option). Then, select Review + create button at the bottom of the page.

13. On the Review + create, review all the settings, and select Create to create the private endpoint.

14. On the Private endpoint page, you can see the status of the private endpoint connection. If you're the owner of the Relay namespace or have the manage access over it and had selected Connect to an Azure resource in my directory option for the Connection method, the endpoint connection should be auto-approved. If it's in the pending state, see the Manage private endpoints using Azure portal section.

    

15. Navigate back to the Networking page of the namespace, and switch to the Private endpoint connections tab. You should see the private endpoint that you created.

    

Add a private endpoint using PowerShell

The following example shows you how to use Azure PowerShell to create a private endpoint connection to an Azure Relay namespace.

Your private endpoint and virtual network must be in the same region. Your Azure Relay namespace can be in a different region. And, Your private endpoint uses a private IP address in your virtual network.

$rgName = "<RESOURCE GROUP NAME>"
$vnetlocation = "<VNET LOCATION>"
$vnetName = "<VIRTUAL NETWORK NAME>"
$subnetName = "<SUBNET NAME>"
$namespaceLocation = "<NAMESPACE LOCATION>"
$namespaceName = "<NAMESPACE NAME>"
$peConnectionName = "<PRIVATE ENDPOINT CONNECTION NAME>"

# create resource group
New-AzResourceGroup -Name $rgName -Location $vnetLocation 

# create virtual network
$virtualNetwork = New-AzVirtualNetwork `
                    -ResourceGroupName $rgName `
                    -Location $vnetlocation `
                    -Name $vnetName `
                    -AddressPrefix 10.0.0.0/16

# create subnet with endpoint network policy disabled
$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
                    -Name $subnetName `
                    -AddressPrefix 10.0.0.0/24 `
                    -PrivateEndpointNetworkPoliciesFlag "Disabled" `
                    -VirtualNetwork $virtualNetwork

# update virtual network
$virtualNetwork | Set-AzVirtualNetwork

# create a relay namespace
$namespaceResource = New-AzResource -Location $namespaceLocation -ResourceName $namespaceName -ResourceGroupName $rgName -Properties @{} -ResourceType "Microsoft.Relay/namespaces" 

# create a private link service connection
$privateEndpointConnection = New-AzPrivateLinkServiceConnection `
                                -Name $peConnectionName `
                                -PrivateLinkServiceId $namespaceResource.ResourceId `
                                -GroupId "namespace"

# get subnet object that you'll use in the next step                                
$virtualNetwork = Get-AzVirtualNetwork -ResourceGroupName  $rgName -Name $vnetName
$subnet = $virtualNetwork | Select -ExpandProperty subnets `
                                | Where-Object  {$_.Name -eq $subnetName}  
   
# now, create private endpoint   
$privateEndpoint = New-AzPrivateEndpoint -ResourceGroupName $rgName  `
                                -Name $vnetName   `
                                -Location $vnetlocation `
                                -Subnet  $subnet   `
                                -PrivateLinkServiceConnection $privateEndpointConnection

(Get-AzResource -ResourceId $namespaceResource.ResourceId -ExpandProperties).Properties

Manage private endpoints using Azure portal

When you create a private endpoint, the connection must be approved. If the resource (Relay namespace) for which you're creating a private endpoint is in your directory, you can approve the connection request provided you've manage privileges over the Relay namespace. If you're connecting to a Relay namespace for which you don't have the manage access, you must wait for the owner of that resource to approve your connection request.

There are four provisioning states:

Service action	Service consumer private endpoint state	Description
None	Pending	Connection is created manually and is pending approval from the Azure Relay namespace owner.
Approve	Approved	Connection was automatically or manually approved and is ready to be used.
Reject	Rejected	Connection was rejected by the Azure Relay namespace owner.
Remove	Disconnected	Connection was removed by the Azure Relay namespace owner, the private endpoint becomes informative and should be deleted for cleanup.

Approve, reject, or remove a private endpoint connection

1. Sign in to the Azure portal.
2. In the search bar, type in Relay.
3. Select the namespace that you want to manage.
4. Select the Networking tab.
5. Go to the appropriate section below based on the operation you want to: approve, reject, or remove.

Approve a private endpoint connection

1. If there are any connections that are pending, you see a connection listed with Pending in the provisioning state.

2. Select the private endpoint you wish to approve

3. Select the Approve button.

   

4. On the Approve connection page, enter an optional comment, and select Yes. If you select No, nothing happens.

   

5. You should see the status of the connection in the list changed to Approved.

Reject a private endpoint connection

1. If there are any private endpoint connections you want to reject, whether it's a pending request or existing connection that was approved earlier, select the endpoint connection and select the Reject button.

   

2. On the Reject connection page, enter an optional comment, and select Yes. If you select No, nothing happens.

   

3. You should see the status of the connection in the list changed Rejected.

Remove a private endpoint connection

1. To remove a private endpoint connection, select it in the list, and select Remove on the toolbar.

   

2. On the Delete connection page, select Yes to confirm the deletion of the private endpoint. If you select No, nothing happens.

   

3. You should see the status changed to Disconnected. Then, you won't see the endpoint in the list.

Validate that the private link connection works

You should validate that resources within the virtual network of the private endpoint are connecting to your Azure Relay namespace over its private IP address.

For this test, create a virtual machine by following the steps in the Create a Windows virtual machine in the Azure portal

In the Networking tab:

1. Specify Virtual network and Subnet. Select the Virtual Network on which you deployed the private endpoint.
2. Specify a public IP resource.
3. For NIC network security group, select None.
4. For Load balancing, select No.

Connect to the VM and open the command line and run the following command:

nslookup <your-relay-namespace-name>.servicebus.windows.net

You should see a result that looks like the following.

Non-authoritative answer:
Name:    <namespace-name>.privatelink.servicebus.windows.net
Address:  10.0.0.4 (private IP address associated with the private endpoint)
Aliases:  <namespace-name>.servicebus.windows.net

Limitations and Design Considerations

Design considerations

• For pricing information, see Azure Private Link pricing.

Limitations

• Maximum number of private endpoints per Azure Relay namespace: 64.
• Maximum number of Azure Relay namespaces with private endpoints per subscription: 64.
• Network Security Group (NSG) rules and User-Defined Routes don't apply to Private Endpoint. For more information, see Azure Private Link service: Limitations

Next Steps

• Learn more about Azure Private Link
• Learn more about Azure Relay