Quickstart: Create a private endpoint by using the Azure portal
Get started with Azure Private Link by creating and using a private endpoint to connect securely to an Azure web app.
In this quickstart, you'll create a private endpoint for an Azure web app and then create and deploy a virtual machine (VM) to test the private connection.
You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.
Prerequisites
An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.
An Azure web app with a PremiumV2-tier or higher app service plan, deployed in your Azure subscription.
For more information and an example, see Quickstart: Create an ASP.NET Core web app in Azure.
The example webapp in this article is named myWebApp1979. Replace the example with your webapp name.
Create a virtual network and bastion host
Create a virtual network, subnet, and bastion host.
You use the bastion host to connect securely to the VM for testing the private endpoint.
Sign in to the Azure portal.
In the search box at the top of the portal, enter Virtual network. In the search results, select Virtual networks.
Select + Create in Virtual networks.
In the Basics tab of Create virtual network, enter or select the following information.
Setting Value Project details Subscription Select your subscription. Resource group Select Create new. Enter CreatePrivateEndpointQS-rg in Name and select OK. Instance details Name Enter myVNet. Region Select West Europe. Select Next: IP Addresses or the IP Addresses tab.
Select the IP Addresses tab or select Next: IP Addresses at the bottom of the page.
In the IP Addresses tab, enter the following information:
Setting Value IPv4 address space Enter 10.1.0.0/16 Under Subnet name, select the word default. If a subnet isn't present, select + Add subnet.
In Edit subnet, enter the following information:
Setting Value Subnet name Enter mySubnet Subnet address range Enter 10.1.0.0/24 Select Save or Add.
Select Next: Security, or the Security tab.
Under BastionHost, select Enable. Enter the following information:
Setting Value Bastion name Enter myBastionHost AzureBastionSubnet address space Enter 10.1.1.0/26 Public IP Address Select Create new. For Name, enter myBastionIP. Select OK. Select the Review + create tab or select the Review + create button.
Select Create.
Note
The virtual network and subnet are created immediately. The Bastion host creation is submitted as a job and will complete within 10 minutes. You can proceed to the next steps while the Bastion host is created.
Create a test virtual machine
Next, create a VM that you can use to test the private endpoint.
Sign-in to the Azure portal.
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines.
Select + Create then Azure virtual machine in Virtual machines.
In the Basics tab of Create a virtual machine, enter or select the following information.
Setting Value Project details Subscription Select your Azure subscription. Resource group Select CreatePrivateEndpointQS-rg. Instance details Virtual machine name Enter myVM. Region Select West Europe. Availability options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2022 Datacenter - Gen2. Size Select the VM size or use the default setting. Administrator account Username Enter a username. Password Enter a password. Confirm password Reenter the password. Inbound port rules Public inbound ports Select None. Select the Networking tab.
In the Networking tab, enter or select the following information.
Setting Value Network interface Virtual network Select myVNet. Subnet Select mySubnet (10.1.0.0/24). Public IP Select None. NIC network security group Select Basic. Public inbound ports Select None. Select Review + create.
Review the settings, and then select Create.
Note
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
Create a private endpoint
Next, you create a private endpoint for the web app that you created in the "Prerequisites" section.
Important
You must have a previously deployed Azure WebApp to proceed with the steps in this article. For more information, see Prerequisites .
In the search box at the top of the portal, enter Private endpoint. Select Private endpoints.
Select + Create in Private endpoints.
In the Basics tab of Create a private endpoint, enter or select the following information.
Setting Value Project details Subscription Select your subscription. Resource group Select CreatePrivateEndpointQS-rg Instance details Name Enter myPrivateEndpoint. Network Interface Name Leave the default of myPrivateEndpoint-nic. Region Select West Europe. Select Next: Resource.
In the Resource pane, enter or select the following information.
Setting Value Connection method Leave the default of Connect to an Azure resource in my directory. Subscription Select your subscription. Resource type Select Microsoft.Web/sites. Resource Select mywebapp1979. Target subresource Select sites. Select Next: Virtual Network.
In Virtual Network, enter or select the following information.
Setting Value Networking Virtual network Select myVNet. Subnet Select myVNet/mySubnet (10.1.0.0/24). Network policy for private endpoints Select edit to apply Network security groups and/or Route tables to the subnet that contains the private endpoint. In Edit subnet network policy, select the checkbox next to Network security groups and Route Tables. Select Save. For more information, see Manage network policies for private endpoints
| Setting | Value |
|---|---|
| Private IP configuration | Select Dynamically allocate IP address. |
Select Next: DNS.
Leave the defaults in DNS. Select Next: Tags, then Next: Review + create.
Select Create.
Test connectivity to the private endpoint
Use the virtual machine that you created earlier to connect to the web app across the private endpoint.
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines.
Select myVM.
On the overview page for myVM, select Connect, and then select Bastion.
Enter the username and password that you used when you created the VM.
Select Connect.
After you've connected, open PowerShell on the server.
Enter
nslookup mywebapp1979.azurewebsites.net. You'll receive a message that's similar to the following example:Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: mywebapp1979.privatelink.azurewebsites.net Address: 10.1.0.5 Aliases: mywebapp1979.azurewebsites.netA private IP address of 10.1.0.5 is returned for the web app name if you chose dynamic IP address in the previous steps. This address is in the subnet of the virtual network you created earlier.
In the bastion connection to myVM, open the web browser.
Enter the URL of your web app,
https://mywebapp1979.azurewebsites.net.If your web app hasn't been deployed, you'll get the following default web app page:
Close the connection to myVM.
Clean up resources
If you're not going to continue to use this web app, delete the virtual network, virtual machine, and web app by doing the following steps:
On the left pane, select Resource groups.
Select CreatePrivateEndpointQS-rg.
Select Delete resource group.
Under Type the resource group name, enter CreatePrivateEndpointQS-rg.
Select Delete.
Next steps
In this quickstart, you created:
A virtual network and bastion host
A virtual machine
A private endpoint for an Azure web app
You used the VM to test connectivity to the web app across the private endpoint.
For more information about the services that support private endpoints, see:
Feedback
Submit and view feedback for