Quickstart: Create a private link service using an ARM template
In this quickstart, you use an Azure Resource Manager template (ARM template) to create a private link service.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
You can also complete this quickstart by using the Azure portal, Azure PowerShell, or the Azure CLI.
If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template opens in the Azure portal.
Prerequisites
You need an Azure account with an active subscription. Create an account for free.
Review the template
This template creates a private link service.
The template used in this quickstart is from Azure Quickstart Templates.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "4187161334981532249"
}
},
"parameters": {
"vmAdminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"vmAdminPassword": {
"type": "secureString",
"metadata": {
"description": "Password for the Virtual Machine. The password must be at least 12 characters long and have lower case, upper characters, digit and a special character (Regex match)"
}
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_D2_v3",
"metadata": {
"description": "The size of the VM"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"vnetName": "myVirtualNetwork",
"vnetConsumerName": "myPEVnet",
"vnetAddressPrefix": "10.0.0.0/16",
"frontendSubnetPrefix": "10.0.1.0/24",
"frontendSubnetName": "frontendSubnet",
"backendSubnetPrefix": "10.0.2.0/24",
"backendSubnetName": "backendSubnet",
"consumerSubnetPrefix": "10.0.0.0/24",
"consumerSubnetName": "myPESubnet",
"loadbalancerName": "myILB",
"backendPoolName": "myBackEndPool",
"loadBalancerFrontEndIpConfigurationName": "myFrontEnd",
"healthProbeName": "myHealthProbe",
"privateEndpointName": "myPrivateEndpoint",
"vmName": "[take(format('myVm{0}', uniqueString(resourceGroup().id)), 15)]",
"networkInterfaceName": "[format('{0}NetInt', variables('vmName'))]",
"vmConsumerName": "[take(format('myConsumerVm{0}', uniqueString(resourceGroup().id)), 15)]",
"publicIpAddressConsumerName": "[format('{0}PublicIP', variables('vmConsumerName'))]",
"networkInterfaceConsumerName": "[format('{0}NetInt', variables('vmConsumerName'))]",
"osDiskType": "StandardSSD_LRS",
"privatelinkServiceName": "myPLS",
"loadbalancerId": "[resourceId('Microsoft.Network/loadBalancers', variables('loadbalancerName'))]"
},
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-05-01",
"name": "[variables('vnetName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('frontendSubnetName')]",
"properties": {
"addressPrefix": "[variables('frontendSubnetPrefix')]",
"privateLinkServiceNetworkPolicies": "Disabled"
}
},
{
"name": "[variables('backendSubnetName')]",
"properties": {
"addressPrefix": "[variables('backendSubnetPrefix')]"
}
}
]
}
},
{
"type": "Microsoft.Network/loadBalancers",
"apiVersion": "2021-05-01",
"name": "[variables('loadbalancerName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"frontendIPConfigurations": [
{
"name": "[variables('loadBalancerFrontEndIpConfigurationName')]",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('frontendSubnetName'))]"
}
}
}
],
"backendAddressPools": [
{
"name": "[variables('backendPoolName')]"
}
],
"inboundNatRules": [
{
"name": "RDP-VM0",
"properties": {
"frontendIPConfiguration": {
"id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', variables('loadbalancerName'), variables('loadBalancerFrontEndIpConfigurationName'))]"
},
"protocol": "Tcp",
"frontendPort": 3389,
"backendPort": 3389,
"enableFloatingIP": false
}
}
],
"loadBalancingRules": [
{
"name": "myHTTPRule",
"properties": {
"frontendIPConfiguration": {
"id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', variables('loadbalancerName'), variables('loadBalancerFrontEndIpConfigurationName'))]"
},
"backendAddressPool": {
"id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadbalancerName'), variables('backendPoolName'))]"
},
"probe": {
"id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('loadbalancerName'), variables('healthProbeName'))]"
},
"protocol": "Tcp",
"frontendPort": 80,
"backendPort": 80,
"idleTimeoutInMinutes": 15
}
}
],
"probes": [
{
"properties": {
"protocol": "Tcp",
"port": 80,
"intervalInSeconds": 15,
"numberOfProbes": 2
},
"name": "[variables('healthProbeName')]"
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-05-01",
"name": "[variables('networkInterfaceName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[variables('networkInterfaceName')]"
},
"properties": {
"ipConfigurations": [
{
"name": "ipConfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('backendSubnetName'))]"
},
"loadBalancerBackendAddressPools": [
{
"id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadbalancerName'), variables('backendPoolName'))]"
}
],
"loadBalancerInboundNatRules": [
{
"id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatRules/', variables('loadbalancerName'), 'RDP-VM0')]"
}
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/loadBalancers', variables('loadbalancerName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-11-01",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[variables('vmName')]"
},
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('vmAdminUsername')]",
"adminPassword": "[parameters('vmAdminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"name": "[format('{0}OsDisk', variables('vmName'))]",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "[variables('osDiskType')]"
},
"diskSizeGB": 128
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2021-11-01",
"name": "[format('{0}/{1}', variables('vmName'), 'installcustomscript')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "install software for Windows VM"
},
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.9",
"autoUpgradeMinorVersion": true,
"protectedSettings": {
"commandToExecute": "powershell -ExecutionPolicy Unrestricted Install-WindowsFeature -Name Web-Server"
}
},
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
]
},
{
"type": "Microsoft.Network/privateLinkServices",
"apiVersion": "2021-05-01",
"name": "[variables('privatelinkServiceName')]",
"location": "[parameters('location')]",
"properties": {
"enableProxyProtocol": false,
"loadBalancerFrontendIpConfigurations": [
{
"id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', variables('loadbalancerName'), variables('loadBalancerFrontEndIpConfigurationName'))]"
}
],
"ipConfigurations": [
{
"name": "snet-provider-default-1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"privateIPAddressVersion": "IPv4",
"subnet": {
"id": "[reference(variables('loadbalancerId'), '2019-06-01').frontendIPConfigurations[0].properties.subnet.id]"
},
"primary": false
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/loadBalancers', variables('loadbalancerName'))]"
]
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-05-01",
"name": "[variables('vnetConsumerName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('consumerSubnetName')]",
"properties": {
"addressPrefix": "[variables('consumerSubnetPrefix')]",
"privateEndpointNetworkPolicies": "Disabled"
}
},
{
"name": "[variables('backendSubnetName')]",
"properties": {
"addressPrefix": "[variables('backendSubnetPrefix')]"
}
}
]
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-05-01",
"name": "[variables('publicIpAddressConsumerName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[variables('publicIpAddressConsumerName')]"
},
"properties": {
"publicIPAllocationMethod": "Dynamic",
"dnsSettings": {
"domainNameLabel": "[toLower(variables('vmConsumerName'))]"
}
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-05-01",
"name": "[variables('networkInterfaceConsumerName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[variables('networkInterfaceConsumerName')]"
},
"properties": {
"ipConfigurations": [
{
"name": "ipConfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpAddressConsumerName'))]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetConsumerName'), variables('consumerSubnetName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpAddressConsumerName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetConsumerName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-11-01",
"name": "[variables('vmConsumerName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[variables('vmConsumerName')]"
},
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[variables('vmConsumerName')]",
"adminUsername": "[parameters('vmAdminUsername')]",
"adminPassword": "[parameters('vmAdminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"name": "[format('{0}OsDisk', variables('vmConsumerName'))]",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "[variables('osDiskType')]"
},
"diskSizeGB": 128
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceConsumerName'))]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceConsumerName'))]"
]
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2021-05-01",
"name": "[variables('privateEndpointName')]",
"location": "[parameters('location')]",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetConsumerName'), variables('consumerSubnetName'))]"
},
"privateLinkServiceConnections": [
{
"name": "[variables('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Network/privateLinkServices', variables('privatelinkServiceName'))]"
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/privateLinkServices', variables('privatelinkServiceName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetConsumerName'))]"
]
}
]
}
Multiple Azure resources are defined in the template:
Microsoft.Network/virtualNetworks: There's one virtual network for each virtual machine.
Microsoft.Network/loadBalancers: The load balancer that exposes the virtual machines that host the service.
Microsoft.Network/networkInterfaces: There are two network interfaces, one for each virtual machine.
Microsoft.Compute/virtualMachines: There are two virtual machines, one that hosts the service and one that tests the connection to the private endpoint.
Microsoft.Compute/virtualMachines/extensions: The extension that installs a web server.
Microsoft.Network/privateLinkServices: The private link service to expose the service.
Microsoft.Network/publicIpAddresses: There are two public IP addresses, one for each virtual machine.
Microsoft.Network/privateendpoints: The private endpoint to access the service.
Deploy the template
Here's how to deploy the ARM template to Azure:
To sign in to Azure and open the template, select Deploy to Azure. The template creates a virtual machine, standard load balancer, private link service, private endpoint, networking, and a virtual machine to validate.
Select or create your resource group.
Enter the virtual machine administrator username and password.
Select Review + create.
Select Create.
The deployment takes a few minutes to complete.
Validate the deployment
Note
The ARM template generates a unique name for the virtual machine myConsumerVm{uniqueid} resource. Substitute your generated value for {uniqueid}.
Connect to a VM from the internet
Connect to the VM myConsumerVm{uniqueid} from the internet as follows:
In the portal's search bar, enter myConsumerVm{uniqueid}.
Select Connect. Connect to virtual machine opens.
Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.
Open the RDP file that was downloaded to your computer.
a. If prompted, select Connect.
b. Enter the username and password you specified when you created the VM.
Note
You might need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.
Select OK.
You might receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.
After the VM desktop appears, minimize it to go back to your local desktop.
Access the http service privately from the VM
Here's how to connect to the http service from the VM by using the private endpoint.
Go to the Remote Desktop of myConsumerVm{uniqueid}.
Open a browser, and enter the private endpoint address:
http://10.0.0.5/.The default IIS page appears.
Clean up resources
When you no longer need the resources that you created with the private link service, delete the resource group. This operation removes the private link service and all the related resources.
To delete the resource group, call the Remove-AzResourceGroup cmdlet:
Remove-AzResourceGroup -Name <your resource group name>
Next steps
For more information on the services that support a private endpoint, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for