Configure an application security group with a private endpoint
Article
Azure Private Link private endpoints support application security groups (ASGs) for network security. You can associate private endpoints with an existing ASG in your current infrastructure alongside virtual machines and other network resources.
Prerequisites
An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.
An Azure web app with a Premium V2 tier or higher app service plan deployed in your Azure subscription.
The example virtual network used in this article is named myVNet. Replace the example with your virtual network.
The latest version of the Azure CLI, installed.
Check your version of the Azure CLI in a terminal or command window by running az --version. For the latest version, see the most recent release notes.
If you choose to install and use PowerShell locally, this article requires Azure PowerShell module version 5.4.1 or later. To find the installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install the Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Create a private endpoint with an ASG
You can associate an ASG with a private endpoint when it's created. The following procedures demonstrate how to associate an ASG with a private endpoint when it's created.
In the search box at the top of the portal, enter Private endpoint. Select Private endpoints in the search results.
Select + Create in Private endpoints.
On the Basics tab of Create a private endpoint, enter or select the following information:
Value
Setting
Project details
Subscription
Select your subscription.
Resource group
Select your resource group. In this example, it's myResourceGroup.
Instance details
Name
Enter myPrivateEndpoint.
Region
Select East US.
Select Next: Resource at the bottom of the page.
On the Resource tab, enter or select the following information:
Value
Setting
Connection method
Select Connect to an Azure resource in my directory.
Subscription
Select your subscription.
Resource type
Select Microsoft.Web/sites.
Resource
Select mywebapp1979.
Target subresource
Select sites.
Select Next: Virtual Network at the bottom of the page.
On the Virtual Network tab, enter or select the following information:
Value
Setting
Networking
Virtual network
Select myVNet.
Subnet
Select your subnet. In this example, it's myVNet/myBackendSubnet(10.0.0.0/24).
Enable network policies for all private endpoints in this subnet.
Leave the default selected.
Application security group
Application security group
Select myASG.
Select Next: DNS at the bottom of the page.
Select Next: Tags at the bottom of the page.
Select Next: Review + create.
Select Create.
Azure PowerShell
## Place the previously created webapp into a variable. ##$webapp = Get-AzWebApp -ResourceGroupName myResourceGroup -Name myWebApp1979
## Create the private endpoint connection. ## $pec = @{
Name = 'myConnection'
PrivateLinkServiceId = $webapp.ID
GroupID = 'sites'
}
$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec
## Place the virtual network you created previously into a variable. ##$vnet = Get-AzVirtualNetwork -ResourceGroupName'myResourceGroup' -Name'myVNet'## Place the application security group you created previously into a variable. ##$asg = Get-AzApplicationSecurityGroup -ResourceGroupName'myResourceGroup' -Name'myASG'## Create the private endpoint. ##$pe = @{
ResourceGroupName = 'myResourceGroup'
Name = 'myPrivateEndpoint'
Location = 'eastus'
Subnet = $vnet.Subnets[0]
PrivateLinkServiceConnection = $privateEndpointConnection
ApplicationSecurityGroup = $asg
}
New-AzPrivateEndpoint @pe
Associate an ASG with an existing private endpoint
You can associate an ASG with an existing private endpoint. The following procedures demonstrate how to associate an ASG with an existing private endpoint.
Important
You must have a previously deployed private endpoint to proceed with the steps in this section. The example endpoint used in this section is named myPrivateEndpoint. Replace the example with your private endpoint.
Learn how to securely connect an Azure SQL server using an Azure Private Endpoint via the Azure portal, ensuring private and safe communication with your SQL server.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.