Using Private Link with IoT Edge
Applies to: 
IoT Edge 1.5 IoT Edge 1.4
Important
IoT Edge 1.5 LTS and IoT Edge 1.4 LTS are supported releases. IoT Edge 1.4 LTS is end of life on November 12, 2024. If you are on an earlier release, see Update IoT Edge.
In Industrial IoT (IIoT) scenarios, you may want to use IoT Edge and completely isolate your network from the internet traffic. You can achieve this requirement by using various services in Azure. The following diagram is an example reference architecture for a factory network scenario.
In the preceding diagram, the network for the IoT Edge device and the PaaS services is isolated from the internet traffic. ExpressRoute or a Site-to-Site VPN facilitates an encrypted tunnel for the traffic between on premises and Azure by using Azure Private Link service. Azure IoT services such as IoT Hub, Device Provisioning Service (DPS), Container Registry, and Blob Storage all support Private Link.
ExpressRoute
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. In IIoT, connection reliability of the devices at the edge to the cloud could be a significant requirement, and ExpressRoute fulfills this requirement via Connection Uptime SLA (Service Level Agreement). To learn more about how Azure ExpressRoute helps provide a secure connectivity for edge devices in a private network, see What is Azure ExpressRoute?.
Azure Private Link
Azure Private Link enables you to access Azure PaaS services and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. You can access your services running in Azure over ExpressRoute private peering, Site-to-Site (S2S) VPN, and peered virtual networks. In IIoT, private links provide you with flexibility to connect your devices located in different regions. With private endpoint, you can also disable the access to the external PaaS resource and configure to send your traffic through the firewall. To learn more about Azure Private Link, see What is Azure Private Link?.
Azure DNS Private Resolver
Azure DNS Private Resolver lets you query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers. Azure DNS Private Resolver reduces the complexity of managing both private and public IPs. The DNS forwarding ruleset feature in Azure DNS private resolver helps an IoT admin to easily configure the rules and manage the clients on what specific address an endpoint should resolve. To learn more about Azure DNS Private Resolver, see What is Azure DNS Private Resolver?.
For a walk-through example scenario, see Using Azure Private Link and Private Endpoints to secure Azure IoT traffic. This example illustrates a possible configuration for a factory network and not intended as a production ready reference.