Private Link
What is Azure Private Endpoint and Azure Private Link Service?
- Azure Private Endpoint: Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. You can use Private Endpoints to connect to an Azure PaaS service that supports Private Link or to your own Private Link Service.
- Azure Private Link Service: Azure Private Link service is a service created by a service provider. Currently, a Private Link service can be attached to the frontend IP configuration of a Standard Load Balancer.
How is traffic being sent when using Private Link?
Traffic is sent privately using Microsoft backbone. It doesn’t traverse the internet. Azure Private Link doesn't store customer data.
What is the difference between Service Endpoints and Private Endpoints?
- Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
- A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
What is the relationship between Private Link Service and Private Endpoint?
Multiple private link resource types support access via Private Endpoints. Resources include Azure PaaS services and your own Private Link Service. It's a one-to-many relationship.
A Private Link service receives connections from multiple Private Endpoints. A private endpoint connects to one Private Link Service.
Do I need to disable network policies for Private Link?
Yes. Private Link Service need to disable network policies to function properly.
Can I use for User-Defined Routes only, Network Security Groups only, or for both for Private EndPoint?
Yes. To utilize policies like User-Defined Routes and Network Security Groups, you need to enable Network policies for a subnet in a virtual network for the Private Endpoint. This setting affects all the private endpoints within the subnet.
Private Endpoint
Can I create multiple Private Endpoints in same VNet? Can they connect to different services?
Yes. You can have multiple Private Endpoints in same VNet or subnet. They can connect to different services.
Can we link multiple private DNS zones with the same name?
No, creating multiple zones with the same name for a single virtual network is not supported.
Do I require a dedicated subnet for Private Endpoints?
No. You don't require a dedicated subnet for Private Endpoints. You can choose a Private Endpoint IP from any subnet from the VNet where your service is deployed.
Can a private endpoint connect to Private Link services across Microsoft Entra tenants?
Yes. Private endpoints can connect to Private Link services or to an Azure PaaS across Microsoft Entra tenants. Private Endpoints across tenants require a manual request approval.
Can Private Endpoint connect to Azure PaaS resources across Azure regions?
Yes. Private Endpoints can connect to Azure PaaS resources across Azure regions.
Can I modify my Private Endpoint Network Interface Card (NIC)?
When a private endpoint is created, a read-only NIC is assigned. The NIC can't be modified and will remain for the life cycle of the Private endpoint.
How do I achieve availability while using Private Endpoint if there are regional failures?
Private Endpoints are highly available resources with an SLA as per SLA for Azure Private Link. However, since they're regional resources, any Azure region outage can affect the availability. To achieve availability if there are regional failures, multiple PEs connected to same destination resource could be deployed in different regions. This way if one region goes down, you can still route the traffic for your recovery scenarios through PE in different region to access the destination resource. For info on how the regional failures are handled on destination service side, review the service documentation on failover and recovery. Private Link traffic follows the Azure DNS resolution for the destination endpoint.
How do I achieve availability while using private endpoints if there's Availability Zone failures?
Private Endpoints are highly available resources with an SLA as per SLA for Azure Private Link. Private Endpoints are zone-agnostic: an availability zone failure in the region of the Private Endpoint won't affect the availability of the Private Endpoint.
Do private endpoints support ICMP traffic?
TCP and UDP traffic are only supported for a private endpoint. For more information, see Private Link limitations.
Private Link Service
What are the pre-requisites for creating a Private Link Service?
Your service backends should be in a Virtual Network and behind a Standard Load Balancer.
How can I scale my Private Link service?
You can scale your Private Link Service in a few different ways:
- Add Backend VMs to the pool behind your Standard Load Balancer
- Add an IP to the Private Link Service. We allow up to 8 IPs per Private Link Service.
- Add new Private Link Service to Standard Load Balancer. We allow up to eight Private Link Services per Standard Load Balancer.
What is the NAT (Network Address Translation) IP Configuration used in Private Link Service? How can I scale in terms of available ports and connections?
- The NAT IP configuration ensures the source (consumer) and destination (service provider) address space don't have IP conflicts. The configuration provides source NAT for the private link traffic for the destination. The NAT IP address will show up as source IP for all packets received by your service and destination IP for all packets sent by your service. NAT IP can be chosen from any subnet in a service provider's Virtual Network.
- Each NAT IP provides 64k TCP connections (64k ports) per VM behind the Standard Load Balancer. In order to scale and add more connections, you can either add new NAT IPs or add more VMs behind the Standard Load Balancer. Doing so will scale the port availability and allow for more connections. Connections will be distributed across NAT IPs and VMs behind the Standard Load Balancer.
Can I connect my service to multiple Private Endpoints?
Yes. One Private Link Service can receive connections from multiple Private Endpoints. However one Private Endpoint can only connect to one Private Link Service.
How should I control the exposure of my Private Link Service?
You can control the exposure using the visibility configuration on Private Link service. Visibility supports three settings:
- None - Only subscriptions with role based access can locate the service.
- Restrictive - Only subscriptions that are approved and with role based access can locate the service.
- All - Everyone can locate the service.
Can I create a Private Link service with Basic Load Balancer?
No. Private Link Service over a Basic Load Balancer isn't supported.
Is a dedicated subnet required for Private Link Service?
No. A dedicated subnet isn't required for the Private Link Service. You can choose any subnet in your VNet where your service is deployed.
I'm a service provider using Azure Private Link. Do I need to make sure all my customers have unique IP space and don’t overlap with my IP space?
No. Azure Private Link provides this functionality for you. You aren't required to have non-overlapping address space with your customer's address space.
Next steps
- Learn about Azure Private Link