Azure Private Link Service enables you to access Azure Services (for example, Managed HSM, Azure Storage, and Azure Cosmos DB etc.) and Azure hosted customer/partner services over a Private Endpoint in your virtual network.
An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.
Owner or contributor permissions for both the managed HSM and the virtual network.
The Azure CLI version 2.25.0 or later. Run az --version to find the version. If you need to install or upgrade, see Install the Azure CLI.
Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it will automatically filter only virtual networks that are in that region. Your HSM can be in a different region.
Your private endpoint uses a private IP address in your virtual network.
Establish a private link connection to Managed HSM using CLI (Initial Setup)
Azure CLI
az login # Login to Azure CLIaz account set --subscription {SUBSCRIPTION ID} # Select your Azure Subscriptionaz group create -n {RESOURCE GROUP} -l {REGION} # Create a new Resource Groupaz provider register -n Microsoft.KeyVault # Register KeyVault as a provideraz keyvault update-hsm --hsm-name {HSM NAME} -g {RG} --default-action deny # Turn on firewallaz network vnet create -g {RG} -n {vNet NAME} --location {REGION} # Create a Virtual Network# Create a Subnetaz network vnet subnet create -g {RG} --vnet-name {vNet NAME} --name {subnet NAME} --address-prefixes {addressPrefix}
# Disable Virtual Network Policiesaz network vnet subnet update --name {subnet NAME} --resource-group {RG} --vnet-name {vNet NAME} --disable-private-endpoint-network-policiestrue# Create a Private DNS Zoneaz network private-dns zone create --resource-group {RG} --name privatelink.managedhsm.azure.net
# Link the Private DNS Zone to the Virtual Networkaz network private-dns link vnet create --resource-group {RG} --virtual-network {vNet NAME} --zone-name privatelink.managedhsm.azure.net --name {dnsZoneLinkName} --registration-enabledtrue
Allow trusted services to access Managed HSM
When the firewall is turned on, all access to the HSM from any location that are not using a private endpoints connection will be denied, including public Internet and Azure services. Use --bypass AzureServices option if you want to allow Microsoft services to access your keys in your Managed HSM. The individual entities (such as an Azure Storage account or a Azure SQL Server) still need to have specific role assignments in place to be able to access a key.
# Show Connection Statusaz network private-endpoint show --resource-group {RG} --name {Private Endpoint Name}
# Approve a Private Link Connection Requestaz keyvault private-endpoint-connection approve --description {"OPTIONAL DESCRIPTION"} --resource-group {RG} --hsm-name {HSM NAME} –-name {PRIVATE LINK CONNECTION NAME}
# Deny a Private Link Connection Requestaz keyvault private-endpoint-connection reject --description {"OPTIONAL DESCRIPTION"} --resource-group {RG} --hsm-name {HSM NAME} –-name {PRIVATE LINK CONNECTION NAME}
# Delete a Private Link Connection Requestaz keyvault private-endpoint-connection delete --resource-group {RG} --hsm-name {HSM NAME} --name {PRIVATE LINK CONNECTION NAME}
Add Private DNS Records
Azure CLI
# Determine the Private Endpoint IP addressaz network private-endpoint show -g {RG} -n {PE NAME} # look for the property networkInterfaces then id; the value must be placed on {PE NIC} below.az network nic show --ids {PE NIC} # look for the property ipConfigurations then privateIpAddress; the value must be placed on {NIC IP} below.# https://learn.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-recordaz network private-dns zone list -g {RG}
az network private-dns record-set a add-record -g {RG} -z"privatelink.managedhsm.azure.net"-n {HSM NAME} -a {NIC IP}
az network private-dns record-set list -g {RG} -z"privatelink.managedhsm.azure.net"# From home/public network, you wil get a public IP. If inside a vnet with private zone, nslookup will resolve to the private ip.
nslookup {HSM NAME}.managedhsm.azure.net
nslookup {HSM NAME}.privatelink.managedhsm.azure.net
Validate that the private link connection works
You should validate that the resources within the same subnet of the private endpoint resource are connecting to your HSM over a private IP address, and that they have the correct private DNS zone integration.
Specify Virtual network and Subnet. You can create a new virtual network or select an existing one. If selecting an existing one, make sure the region matches.
Specify a Public IP resource.
In the "NIC network security group", select "None".
In the "Load balancing", select "No".
Open the command line and run the following command:
Console
nslookup <your-HSM-name>.managedhsm.azure.net
If you run the ns lookup command to resolve the IP address of a managed HSM over a public endpoint, you will see a result that looks like this:
Check to make sure the private endpoint is in the approved state.
Use az keyvault private-endpoint-connections show subcommand to see the status of a private endpoint connection.
Make sure connection state is Approved and provisioning state is Succeeded.
Make sure the virtual network matches the one you are using.
Check to make sure you have a Private DNS Zone resource.
You must have a Private DNS Zone resource with the exact name: privatelink.managedhsm.azure.net.
To learn how to set this up please see the following link. Private DNS Zones
Check to make sure the Private DNS Zone is linked to the Virtual Network. This may be the issue if you are still getting the public IP address returned.
If the Private Zone DNS is not linked to the virtual network, the DNS query originating from the virtual network will return the public IP address of the HSM.
Navigate to the Private DNS Zone resource in the Azure portal and click the virtual network links option.
The virtual network that will perform calls to the HSM must be listed.
Check to make sure the Private DNS Zone is not missing an A record for the HSM.
Navigate to the Private DNS Zone page.
Click Overview and check if there is an A record with the simple name of your HSM. Do not specify any suffix.
Make sure you check the spelling, and either create or fix the A record. You can use a TTL of 3600 (1 hour).
Make sure you specify the correct private IP address.
Check to make sure the A record has the correct IP Address.
You can confirm the IP address by opening the Private Endpoint resource in Azure portal.
Navigate to the Microsoft.Network/privateEndpoints resource, in the Azure portal
In the overview page look for Network interface and click that link.
The link will show the Overview of the NIC resource, which contains the property Private IP address.
Verify that this is the correct IP address that is specified in the A record.
Limitations and Design Considerations
Note
The number of managed HSMs with private endpoints enabled per subscription is an adjustable limit. The limit shown below is the default limit. If you would like to request a limit increase for your subscription, please create an Azure support ticket. We will approve these requests on a case by case basis.