Quickstart: Create a Private Link service using Azure CLI
Get started creating a Private Link service that refers to your service. Give Private Link access to your service or resource deployed behind an Azure Standard Load Balancer. Users of your service have private access from their virtual network.
If you don't have an Azure subscription, create an Azure free account before you begin.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- This quickstart requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
An Azure resource group is a logical container into which Azure resources are deployed and managed.
Create a resource group with az group create:
- Named CreatePrivLinkService-rg.
- In the eastus location.
az group create \
--name CreatePrivLinkService-rg \
--location eastus2
Create an internal load balancer
In this section, you'll create a virtual network and an internal Azure Load Balancer.
Virtual network
In this section, you create a virtual network and subnet to host the load balancer that accesses your Private Link service.
Create a virtual network using az network vnet create:
- Named myVNet.
- Address prefix of 10.1.0.0/16.
- Subnet named mySubnet.
- Subnet prefix of 10.1.0.0/24.
- In the CreatePrivLinkService-rg resource group.
- Location of eastus2.
- Disable the network policy for private link service on the subnet.
az network vnet create \
--resource-group CreatePrivLinkService-rg \
--location eastus2 \
--name myVNet \
--address-prefixes 10.1.0.0/16 \
--subnet-name mySubnet \
--subnet-prefixes 10.1.0.0/24
Create standard load balancer
This section details how you can create and configure the following components of the load balancer:
- A frontend IP pool that receives the incoming network traffic on the load balancer.
- A backend IP pool where the frontend pool sends the load balanced network traffic.
- A health probe that determines health of the backend VM instances.
- A load balancer rule that defines how traffic is distributed to the VMs.
Create the load balancer resource
Create a public load balancer with az network lb create:
- Named myLoadBalancer.
- A frontend pool named myFrontEnd.
- A backend pool named myBackEndPool.
- Associated with the virtual network myVNet.
- Associated with the backend subnet mySubnet.
az network lb create \
--resource-group CreatePrivLinkService-rg \
--name myLoadBalancer \
--sku Standard \
--vnet-name myVnet \
--subnet mySubnet \
--frontend-ip-name myFrontEnd \
--backend-pool-name myBackEndPool
Create the health probe
A health probe checks all virtual machine instances to ensure they can send network traffic.
A virtual machine with a failed probe check is removed from the load balancer. The virtual machine is added back into the load balancer when the failure is resolved.
Create a health probe with az network lb probe create:
- Monitors the health of the virtual machines.
- Named myHealthProbe.
- Protocol TCP.
- Monitoring Port 80.
az network lb probe create \
--resource-group CreatePrivLinkService-rg \
--lb-name myLoadBalancer \
--name myHealthProbe \
--protocol tcp \
--port 80
Create the load balancer rule
A load balancer rule defines:
- Frontend IP configuration for the incoming traffic.
- The backend IP pool to receive the traffic.
- The required source and destination port.
Create a load balancer rule with az network lb rule create:
- Named myHTTPRule
- Listening on Port 80 in the frontend pool myFrontEnd.
- Sending load-balanced network traffic to the backend address pool myBackEndPool using Port 80.
- Using health probe myHealthProbe.
- Protocol TCP.
- Idle timeout of 15 minutes.
- Enable TCP reset.
az network lb rule create \
--resource-group CreatePrivLinkService-rg \
--lb-name myLoadBalancer \
--name myHTTPRule \
--protocol tcp \
--frontend-port 80 \
--backend-port 80 \
--frontend-ip-name myFrontEnd \
--backend-pool-name myBackEndPool \
--probe-name myHealthProbe \
--idle-timeout 15 \
--enable-tcp-reset true
Disable network policy
Before a private link service can be created in the virtual network, the setting privateLinkServiceNetworkPolicies must be disabled.
- Disable the network policy with az network vnet subnet update.
az network vnet subnet update \
--name mySubnet \
--vnet-name MyVnet \
--resource-group CreatePrivLinkService-rg \
--disable-private-link-service-network-policies yes
Create a private link service
In this section, create a private link service that uses the Azure Load Balancer created in the previous step.
Create a private link service using a standard load balancer frontend IP configuration with az network private-link-service create:
- Named myPrivateLinkService.
- In virtual network myVNet.
- Associated with standard load balancer myLoadBalancer and frontend configuration myFrontEnd.
- In the eastus2 location.
az network private-link-service create \
--resource-group CreatePrivLinkService-rg \
--name myPrivateLinkService \
--vnet-name myVNet \
--subnet mySubnet \
--lb-name myLoadBalancer \
--lb-frontend-ip-configs myFrontEnd \
--location eastus2
Your private link service is created and can receive traffic. If you want to see traffic flows, configure your application behind your standard load balancer.
Create private endpoint
In this section, you'll map the private link service to a private endpoint. A virtual network contains the private endpoint for the private link service. This virtual network contains the resources that will access your private link service.
Create private endpoint virtual network
Create a virtual network using az network vnet create:
- Named myVNetPE.
- Address prefix of 11.1.0.0/16.
- Subnet named mySubnetPE.
- Subnet prefix of 11.1.0.0/24.
- In the CreatePrivLinkService-rg resource group.
- Location of eastus2.
az network vnet create \
--resource-group CreatePrivLinkService-rg \
--location eastus2 \
--name myVNetPE \
--address-prefixes 11.1.0.0/16 \
--subnet-name mySubnetPE \
--subnet-prefixes 11.1.0.0/24
Create endpoint and connection
Use az network private-link-service show to get the resource ID of the private link service. The command places the resource ID into a variable for later use.
Use az network private-endpoint create to create the private endpoint in the virtual network you created previously.
Named MyPrivateEndpoint.
In the CreatePrivLinkService-rg resource group.
Connection name myPEconnectiontoPLS.
Location of eastus2.
In virtual network myVNetPE and subnet mySubnetPE.
export resourceid=$(az network private-link-service show \
--name myPrivateLinkService \
--resource-group CreatePrivLinkService-rg \
--query id \
--output tsv)
az network private-endpoint create \
--connection-name myPEconnectiontoPLS \
--name myPrivateEndpoint \
--private-connection-resource-id $resourceid \
--resource-group CreatePrivLinkService-rg \
--subnet mySubnetPE \
--manual-request false \
--vnet-name myVNetPE
Clean up resources
When no longer needed, use the az group delete command to remove the resource group, private link service, load balancer, and all related resources.
az group delete \
--name CreatePrivLinkService-rg
Next steps
In this quickstart, you:
Created a virtual network and internal Azure Load Balancer.
Created a private link service
To learn more about Azure Private endpoint, continue to:
Feedback
Submit and view feedback for