Quickstart: Create a private endpoint by using the Azure portal

Get started with Azure Private Link by creating and using a private endpoint to connect securely to an Azure web app.

In this quickstart, create a private endpoint for an Azure App Services web app and then create and deploy a virtual machine (VM) to test the private connection.

You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.

Diagram of resources created in private endpoint quickstart.

Prerequisites

  • An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.

  • An Azure App Services web app with a Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan) app service plan, deployed in your Azure subscription.

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network and bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot of Basics tab of Create virtual network in the Azure portal

  4. Select Next to proceed to the Security tab.

  5. Select Enable Bastion in the Azure Bastion section of the Security tab.

    Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see Azure Bastion

    Note

    Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs.

    If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  6. Enter or select the following information in Azure Bastion:

    Setting Value
    Azure Bastion host name Enter bastion.
    Azure Bastion public IP address Select Create a public IP address.
    Enter public-ip in Name.
    Select OK.

    Screenshot of enable bastion host in Create virtual network in the Azure portal.

  7. Select Next to proceed to the IP Addresses tab.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24(256 addresses).

    Screenshot of default subnet rename and configuration.

  10. Select Save.

  11. Select Review + create at the bottom of the screen, and when validation passes, select Create.

Create a private endpoint

Next, you create a private endpoint for the web app that you created in the Prerequisites section.

Important

You must have a previously deployed Azure App Services web app to proceed with the steps in this article. For more information, see Prerequisites .

  1. In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.

  2. Select + Create in Private endpoints.

  3. In the Basics tab of Create a private endpoint, enter or select the following information.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg
    Instance details
    Name Enter private-endpoint.
    Network Interface Name Leave the default of private-endpoint-nic.
    Region Select East US 2.
  4. Select Next: Resource.

  5. In the Resource pane, enter or select the following information.

    Setting Value
    Connection method Leave the default of Connect to an Azure resource in my directory.
    Subscription Select your subscription.
    Resource type Select Microsoft.Web/sites.
    Resource Select webapp-1.
    Target subresource Select sites.
  6. Select Next: Virtual Network.

  7. In Virtual Network, enter or select the following information.

    Setting Value
    Networking
    Virtual network Select vnet-1 (test-rg).
    Subnet Select subnet-1.
    Network policy for private endpoints Select edit to apply Network policy for private endpoints.
    In Edit subnet network policy, select the checkbox next to Network security groups and Route Tables in the Network policies setting for all private endpoints in this subnet pull-down.
    Select Save.

    For more information, see Manage network policies for private endpoints
    Setting Value
    Private IP configuration Select Dynamically allocate IP address.

    Screenshot of dynamic IP address selection.

  8. Select Next: DNS.

  9. Leave the defaults in DNS. Select Next: Tags, then Next: Review + create.

  10. Select Create.

Create test virtual machine

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. On the Basics tab of Create a virtual machine, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select East US 2.
    Availability options Select No infrastructure redundancy required.
    Security type Leave the default of Standard.
    Image Select Windows Server 2022 Datacenter - x64 Gen2.
    VM architecture Leave the default of x64.
    Size Select a size.
    Administrator account
    Authentication type Select Password.
    Username Enter azureuser.
    Password Enter a password.
    Confirm password Reenter the password.
    Inbound port rules
    Public inbound ports Select None.
  4. Select the Networking tab at the top of the page.

  5. Enter or select the following information in the Networking tab:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter nsg-1 for the name.
    Leave the rest at the defaults and select OK.
  6. Leave the rest of the settings at the defaults and select Review + create.

  7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Test connectivity to the private endpoint

Use the virtual machine that you created earlier to connect to the web app across the private endpoint.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines.

  2. Select vm-1.

  3. On the overview page for vm-1, select Connect, and then select the Bastion tab.

  4. Select Use Bastion.

  5. Enter the username and password that you used when you created the VM.

  6. Select Connect.

  7. After you've connected, open PowerShell on the server.

  8. Enter nslookup webapp-1.azurewebsites.net. You receive a message that's similar to the following example:

    Server:  UnKnown
    Address:  168.63.129.16
    
    Non-authoritative answer:
    Name:    webapp-1.privatelink.azurewebsites.net
    Address:  10.0.0.10
    Aliases:  webapp-1.azurewebsites.net
    

    A private IP address of 10.0.0.10 is returned for the web app name if you chose static IP address in the previous steps. This address is in the subnet of the virtual network you created earlier.

  9. In the bastion connection to vm-1, open the web browser.

  10. Enter the URL of your web app, https://webapp-1.azurewebsites.net.

    If your web app hasn't been deployed, you get the following default web app page:

    Screenshot of the default web app page on a browser.

  11. Close the connection to vm-1.

Clean up resources

When you're done using the resources created, you can delete the resource group and all its resources.

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion and select Delete.

Next steps

In this quickstart, you created:

  • A virtual network and bastion host

  • A virtual machine

  • A private endpoint for an Azure web app

You used the VM to test connectivity to the web app across the private endpoint.

For more information about the services that support private endpoints, see: