Tutorial: Connect to a web app using an Azure Private Endpoint
Azure Private endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to privately and securely communicate with Private Link resources such as a web app.
In this tutorial, you learn how to:
- Create a virtual network and bastion host.
- Create a virtual machine.
- Create a web app.
- Create a private endpoint.
- Test connectivity to the web app private endpoint.
If you don't have an Azure subscription, create a free account before you begin.
Private Endpoint is available in public regions for PremiumV2-tier, PremiumV3-tier Windows web apps, Linux web apps, and the Azure Functions Premium plan (sometimes referred to as the Elastic Premium plan).
- An Azure subscription
Sign in to Azure
Sign in to the Azure portal.
Create a virtual network and bastion host
In this section, you'll create a virtual network, subnet, and bastion host.
The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.
In Create virtual network, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select Create new. Enter myResourceGroup in Name. Select OK. Instance details Name Enter myVNet. Region Select East US.
Select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the page.
In the IP Addresses tab, enter this information:
Setting Value IPv4 address space Enter 10.1.0.0/16.
Under Subnet name, select the word default.
In Edit subnet, enter this information:
Setting Value Subnet name Enter mySubnet. Subnet address range Enter 10.1.0.0/24.
Select the Security tab.
Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost. AzureBastionSubnet address space Enter 10.1.1.0/24. Public IP Address Select Create new. For Name, enter myBastionIP. Select OK.
Select the Review + create tab or select the Review + create button.
Create a virtual machine
In this section, you'll create a virtual machine that will be used to test the private endpoint.
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine or search for Virtual machine in the search box.
In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVM. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2019 Datacenter - Gen2. Azure Spot instance Select No. Size Choose VM size or take default setting. Administrator account Username Enter a username. Password Enter a password. Confirm password Reenter password.
Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select this information:
Setting Value Network interface Virtual network Select myVNet. Subnet Select mySubnet. Public IP Select None. NIC network security group Select Basic. Public inbound ports Select None.
Select Review + create.
Review the settings, and then select Create.
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
Create a web app
In this section, you'll create a web app.
In the left-hand menu, select Create a resource > Web > Web App, or search for Web App in the search box.
In the Basics tab of Create Web App enter or select the following information:
Setting Value Project Details Subscription Select your Azure subscription. Resource Group Select myResourceGroup. Instance details Name Enter mywebapp. If the name is unavailable, enter a unique name. Publish Select Code. Runtime stack Select .NET Core 3.1 (LTS). Operating System Select Windows. Region Select East US. App Service Plan Windows Plan (East US) Select Create new. Enter myServicePlan in Name. Select OK. Sku and size Select Change size. Select P2V2 in the Spec Picker page. Select Apply. Zone redundancy Zone redundancy Select Disabled.
Select Review + create.
Create private endpoint
In the left-hand menu, select All Resources > mywebapp or the name you chose during web app creation.
In the web app overview, select Settings > Networking.
In Networking, select Private endpoints.
Select + Add in the Private Endpoint connections page.
Enter or select the following information in the Add Private Endpoint page:
Setting Value Name Enter mywebappendpoint. Subscription Select your Azure subscription. Virtual network Select myVNet. Subnet Select mySubnet. Integrate with private DNS zone Select Yes.
Test connectivity to private endpoint
In this section, you'll use the virtual machine you created in the previous step to connect to the web app across the private endpoint.
Select Resource groups in the left-hand navigation pane.
On the overview page for myVM, select Connect then Bastion.
Enter the username and password that you entered during the virtual machine creation.
Select Connect button.
Open Windows PowerShell on the server after you connect.
nslookup <webapp-name>.azurewebsites.net. Replace <webapp-name> with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:
Server: UnKnown Address: 126.96.36.199 Non-authoritative answer: Name: mywebapp.privatelink.azurewebsites.net Address: 10.1.0.5 Aliases: mywebapp.azurewebsites.net
A private IP address of 10.1.0.5 is returned for the web app name. This address is in mySubnet subnet of myVNet virtual network you created previously.
Open Internet Explorer, and enter the URL of your web app,
Verify you receive the default web app page.
Close the connection to myVM.
Open a web browser on your local computer and enter the URL of your web app,
Verify that you receive a 403 page. This page indicates that the web app isn't accessible externally.
Clean up resources
If you're not going to continue to use this application, delete the virtual network, virtual machine, and web app with the following steps:
From the left-hand menu, select Resource groups.
Select Delete resource group.
Enter myResourceGroup in TYPE THE RESOURCE GROUP NAME.
Learn how to connect to an Azure SQL server using an Azure Private Endpoint: