Manage Azure Private Endpoints
Azure Private Endpoints have several options when managing the configuration and their deployment.
GroupId and MemberName can be determined by querying the Private Link resource. The GroupID and MemberName values are needed to configure a static IP address for a private endpoint during creation.
A private endpoint has two custom properties, static IP address and the network interface name. These properties must be set when the private endpoint is created.
With a service provider and consumer deployment of a Private Link Service, an approval process is in place to make the connection.
Determine GroupID and MemberName
During the creation of a private endpoint with Azure PowerShell and Azure CLI, the GroupId and MemberName of the private endpoint resource might be needed.
GroupId is the subresource of the private endpoint.
MemberName is the unique stamp for the private IP address of the endpoint.
For more information about Private Endpoint subresources and their values, see Private-link resource.
To determine the values of GroupID and MemberName for your private endpoint resource, use the following commands. MemberName is contained within the RequiredMembers property.
Network interface rename and static IP address assignment are custom properties that can be set on a private endpoint when it's created.
Network interface rename
By default, when a private endpoint is created the network interface associated with the private endpoint is given a random name for its network interface. The network interface must be named when the private endpoint is created. The renaming of the network interface of an existing private endpoint is unsupported.
Use the following commands when creating a private endpoint to rename the network interface.
Static IP address
By default, when a private endpoint is created the IP address for the endpoint is automatically assigned. The IP is assigned from the IP range of the virtual network configured for the private endpoint. A situation may arise when a static IP address for the private endpoint is required. The static IP address must be assigned when the private endpoint is created. The configuration of a static IP address for an existing private endpoint is currently unsupported.
Private endpoint connections
Azure Private Link works on an approval model where the Private Link service consumer can request a connection to the service provider for consuming the service.
The service provider can then decide whether to allow the consumer to connect or not. Azure Private Link enables service providers to manage the private endpoint connection on their resources.
There are two connection approval methods that a Private Link service consumer can choose from:
Automatic: If the service consumer has Azure Role Based Access Control permissions on the service provider resource, the consumer can choose the automatic approval method. When the request reaches the service provider resource, no action is required from the service provider and the connection is automatically approved.
Manual: If the service consumer doesn’t have Azure Role Based Access Control permissions on the service provider resource, the consumer can choose the manual approval method. The connection request appears on the service resources as Pending. The service provider has to manually approve the request before connections can be established. In manual cases, service consumer can also specify a message with the request to provide more context to the service provider. The service provider has following options to choose from for all private endpoint connections: Approve, Reject, Remove.
The below table shows the various service provider actions and the resulting connection states for private endpoints. The service provider can change the connection state at a later time without consumer intervention. The action will update the state of the endpoint on the consumer side.
|Service provider action||Service consumer private endpoint state||Description|
|None||Pending||Connection is created manually and is pending for approval by the Private Link resource owner.|
|Approve||Approved||Connection was automatically or manually approved and is ready to be used.|
|Reject||Rejected||Connection was rejected by the private link resource owner.|
|Remove||Disconnected||Connection was removed by the private link resource owner, the private endpoint becomes informative and should be deleted for clean-up.|
Manage private endpoint connections on Azure PaaS resources
Use the following steps to manage a private endpoint connection in the Azure portal.
Sign in to the Azure portal.
In the search box at the top of the portal, enter Private link. In the search results, select Private link.
In the Private link center, select Private endpoints or Private link services.
For each of your endpoints, you can view the number of private endpoint connections associated with it. You can filter the resources as needed.
Select the private endpoint. Under the connections listed, select the connection that you want to manage.
You can change the state of the connection by selecting from the options at the top.
Manage Private Endpoint connections on a customer/partner owned Private Link service
Use the following PowerShell and Azure CLI commands to manage private endpoint connections on Microsoft Partner Services or customer owned services.
Connections that have been previously denied can't be approved. You must remove the connection and create a new one.