Use APIs to create a private link for managing Azure resources

This article explains how you can use Azure Private Link to restrict access for managing resources in your subscriptions.

Private links enable you to access Azure services over a private endpoint in your virtual network. When you combine private links with Azure Resource Manager's operations, you block users who aren't at the specific endpoint from managing resources. If a malicious user gets credentials to an account in your subscription, that user can't manage the resources without being at the specific endpoint.

Private link provides the following security benefits:

  • Private Access - users can manage resources from a private network via a private endpoint.

Note

Azure Kubernetes Service (AKS) currently doesn't support the ARM private endpoint implementation.

Azure Bastion doesn't support private links. It is recommended to use a private DNS zone for your resource management private link private endpoint configuration, but due to the overlap with the management.azure.com name, your Bastion instance will stop working. For more information, view Azure Bastion FAQ.

Understand architecture

For this release, you can only apply private link management access at the level of the root management group. This limitation means private link access is applied across your tenant.

There are two resource types you'll use when implementing management through a private link.

  • Resource management private link (Microsoft.Authorization/resourceManagementPrivateLinks)
  • Private link association (Microsoft.Authorization/privateLinkAssociations)

The following image shows how to construct a solution that restricts access for managing resources.

Resource management private link diagram

The private link association extends the root management group. The private link association and the private endpoints reference the resource management private link.

Important

Multi-tenant accounts aren't currently supported for managing resources through a private link. You can't connect private link associations on different tenants to a single resource management private link.

If your account accesses more than one tenant, define a private link for only one of them.

Workflow

To set up a private link for resources, use the following steps. The steps are described in greater detail later in this article.

  1. Create the resource management private link.
  2. Create a private link association. The private link association extends the root management group. It also references the resource ID for the resource management private link.
  3. Add a private endpoint that references the resource management private link.

After completing those steps, you can manage Azure resources that are within the hierarchy of the scope. You use a private endpoint that is connected to the subnet.

You can monitor access to the private link. For more information, see Logging and monitoring.

Required permissions

To set up the private link for resource management, you need the following access:

  • Owner on the subscription. This access is needed to create resource management private link resource.
  • Owner or Contributor at the root management group. This access is needed to create the private link association resource.
  • The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles at the root management group. To enable creating resource management private links, the Global Administrator must have permission to read root management group and elevate access to have User Access Administrator permission on all subscriptions and management groups in the tenant. After you get the User Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at the root management group to the user creating the private link association.

To create resource management private link, send the following request:

Example

# Login first with az login if not using Cloud Shell
az resourcemanagement private-link create --location WestUS --resource-group PrivateLinkTestRG --name NewRMPL --public-network-access enabled

Note the ID that is returned for the new resource management private link. You'll use it for creating the private link association.

The resource name of a private link association resource must be a GUID, and it isn't yet supported to disable the publicNetworkAccess field.

To create the private link association, use:

Example

# Login first with az login if not using Cloud Shell
az private-link association create --management-group-id fc096d27-0434-4460-a3ea-110df0422a2d --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 --privatelink "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PrivateLinkTestRG/providers/Microsoft.Authorization/resourceManagementPrivateLinks/newRMPL"

Add private endpoint

This article assumes you already have a virtual network. In the subnet that will be used for the private endpoint, you must turn off private endpoint network policies. If you haven't turned off private endpoint network policies, see Disable network policies for private endpoints.

To create a private endpoint, see Private Endpoint documentation for creating via Portal, PowerShell, CLI, Bicep, or template.

In the request body, set the privateServiceLinkId to the ID from your resource management private link. The groupIds must contain ResourceManagement. The location of the private endpoint must be the same as the location of the subnet.

{
  "location": "westus2",
  "properties": {
    "privateLinkServiceConnections": [
      {
        "name": "{connection-name}",
        "properties": {
           "privateLinkServiceId": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{name}",
           "groupIds": [
              "ResourceManagement"
           ]
         }
      }
    ],
    "subnet": {
      "id": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/{subnet-name}"
    }
  }
}

The next step varies depending whether you're using automatic or manual approval. For more information about approval, see Access to a private link resource using approval workflow.

The response includes approval state.

"privateLinkServiceConnectionState": {
    "actionsRequired": "None",
    "description": "",
    "status": "Approved"
},

If your request is automatically approved, you can continue to the next section. If your request requires manual approval, wait for the network admin to approve your private endpoint connection.

Next steps

To learn more about private links, see Azure Private Link.