Muokkaa

Jaa


Quickstart: Create a private endpoint by using an ARM template

In this quickstart, you'll use an Azure Resource Manager template (ARM template) to create a private endpoint.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

You can also create a private endpoint by using the Azure portal, Azure PowerShell, or the Azure CLI.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button here. The ARM template will open in the Azure portal.

Button to deploy the Resource Manager template to Azure.

Diagram of resources created in private endpoint quickstart.

Prerequisites

You need an Azure account with an active subscription. If you don't already have an Azure account, create an account for free.

Review the template

This template creates a private endpoint for an instance of Azure SQL Database.

The template that this quickstart uses is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.5.6.12127",
      "templateHash": "14846974543330599630"
    }
  },
  "parameters": {
    "sqlAdministratorLogin": {
      "type": "string",
      "metadata": {
        "description": "The administrator username of the SQL logical server"
      }
    },
    "sqlAdministratorLoginPassword": {
      "type": "secureString",
      "metadata": {
        "description": "The administrator password of the SQL logical server."
      }
    },
    "vmAdminUsername": {
      "type": "string",
      "metadata": {
        "description": "Username for the Virtual Machine."
      }
    },
    "vmAdminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Password for the Virtual Machine. The password must be at least 12 characters long and have lower case, upper characters, digit and a special character (Regex match)"
      }
    },
    "VmSize": {
      "type": "string",
      "defaultValue": "Standard_D2_v3",
      "metadata": {
        "description": "The size of the VM"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "vnetName": "myVirtualNetwork",
    "vnetAddressPrefix": "10.0.0.0/16",
    "subnet1Prefix": "10.0.0.0/24",
    "subnet1Name": "mySubnet",
    "sqlServerName": "[format('sqlserver{0}', uniqueString(resourceGroup().id))]",
    "databaseName": "[format('{0}/sample-db', variables('sqlServerName'))]",
    "privateEndpointName": "myPrivateEndpoint",
    "privateDnsZoneName": "[format('privatelink{0}', environment().suffixes.sqlServerHostname)]",
    "pvtEndpointDnsGroupName": "[format('{0}/mydnsgroupname', variables('privateEndpointName'))]",
    "vmName": "[take(format('myVm{0}', uniqueString(resourceGroup().id)), 15)]",
    "publicIpAddressName": "[format('{0}PublicIP', variables('vmName'))]",
    "networkInterfaceName": "[format('{0}NetInt', variables('vmName'))]",
    "osDiskType": "StandardSSD_LRS"
  },
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-11-01-preview",
      "name": "[variables('sqlServerName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[variables('sqlServerName')]"
      },
      "properties": {
        "administratorLogin": "[parameters('sqlAdministratorLogin')]",
        "administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]",
        "version": "12.0",
        "publicNetworkAccess": "Disabled"
      }
    },
    {
      "type": "Microsoft.Sql/servers/databases",
      "apiVersion": "2021-11-01-preview",
      "name": "[variables('databaseName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Basic",
        "tier": "Basic",
        "capacity": 5
      },
      "tags": {
        "displayName": "[variables('databaseName')]"
      },
      "properties": {
        "collation": "SQL_Latin1_General_CP1_CI_AS",
        "maxSizeBytes": 104857600,
        "sampleName": "AdventureWorksLT"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2021-05-01",
      "name": "[variables('vnetName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetAddressPrefix')]"
          ]
        }
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2021-05-01",
      "name": "[format('{0}/{1}', variables('vnetName'), variables('subnet1Name'))]",
      "properties": {
        "addressPrefix": "[variables('subnet1Prefix')]",
        "privateEndpointNetworkPolicies": "Disabled"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/privateEndpoints",
      "apiVersion": "2021-05-01",
      "name": "[variables('privateEndpointName')]",
      "location": "[parameters('location')]",
      "properties": {
        "subnet": {
          "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]"
        },
        "privateLinkServiceConnections": [
          {
            "name": "[variables('privateEndpointName')]",
            "properties": {
              "privateLinkServiceId": "[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]",
              "groupIds": [
                "sqlServer"
              ]
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/privateDnsZones",
      "apiVersion": "2020-06-01",
      "name": "[variables('privateDnsZoneName')]",
      "location": "global",
      "properties": {},
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
      "apiVersion": "2020-06-01",
      "name": "[format('{0}/{1}', variables('privateDnsZoneName'), format('{0}-link', variables('privateDnsZoneName')))]",
      "location": "global",
      "properties": {
        "registrationEnabled": false,
        "virtualNetwork": {
          "id": "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
      "apiVersion": "2021-05-01",
      "name": "[variables('pvtEndpointDnsGroupName')]",
      "properties": {
        "privateDnsZoneConfigs": [
          {
            "name": "config1",
            "properties": {
              "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]"
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
        "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-05-01",
      "name": "[variables('publicIpAddressName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[variables('publicIpAddressName')]"
      },
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2021-05-01",
      "name": "[variables('networkInterfaceName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[variables('networkInterfaceName')]"
      },
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipConfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpAddressName'))]"
              },
              "subnet": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]"
              }
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpAddressName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
      ]
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-11-01",
      "name": "[variables('vmName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[variables('vmName')]"
      },
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('VmSize')]"
        },
        "osProfile": {
          "computerName": "[variables('vmName')]",
          "adminUsername": "[parameters('vmAdminUsername')]",
          "adminPassword": "[parameters('vmAdminPassword')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "name": "[format('{0}OsDisk', variables('vmName'))]",
            "caching": "ReadWrite",
            "createOption": "FromImage",
            "managedDisk": {
              "storageAccountType": "[variables('osDiskType')]"
            },
            "diskSizeGB": 128
          }
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
            }
          ]
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
      ]
    }
  ]
}

The template defines multiple Azure resources:

Deploy the template

Deploy the ARM template to Azure by doing the following:

  1. Sign in to Azure and open the ARM template by selecting the Deploy to Azure button here. The template creates the private endpoint, the instance of SQL Database, the network infrastructure, and a virtual machine to be validated.

    Button to deploy the Resource Manager template to Azure.

  2. Select your resource group or create a new one.

  3. Enter the SQL administrator sign-in name and password.

  4. Enter the virtual machine administrator username and password.

  5. Read the terms and conditions statement. If you agree, select I agree to the terms and conditions stated above, and then select Purchase. The deployment can take 20 minutes or longer to complete.

Validate the deployment

Note

The ARM template generates a unique name for the virtual machine myVm{uniqueid} resource, and for the SQL Database sqlserver{uniqueid} resource. Substitute your generated value for {uniqueid}.

Connect to a VM from the internet

Connect to the VM myVm{uniqueid} from the internet by doing the following:

  1. In the portal's search bar, enter myVm{uniqueid}.

  2. Select Connect. Connect to virtual machine opens.

  3. Select Download RDP File. Azure creates a Remote Desktop Protocol (RDP) file and downloads it to your computer.

  4. Open the downloaded RDP file.

    a. If you're prompted, select Connect.
    b. Enter the username and password that you specified when you created the VM.

    Note

    You might need to select More choices > Use a different account to specify the credentials you entered when you created the VM.

  5. Select OK.

    You might receive a certificate warning during the sign-in process. If you do, select Yes or Continue.

  6. After the VM desktop appears, minimize it to go back to your local desktop.

Access the SQL Database server privately from the VM

To connect to the SQL Database server from the VM by using the private endpoint, do the following:

  1. On the Remote Desktop of myVM{uniqueid}, open PowerShell.

  2. Run the following command:

    nslookup sqlserver{uniqueid}.database.windows.net

    You'll receive a message that's similar to this one:

      Server:  UnKnown
      Address:  168.63.129.16
      Non-authoritative answer:
      Name:    sqlserver.privatelink.database.windows.net
      Address:  10.0.0.5
      Aliases:  sqlserver.database.windows.net
    
  3. Install SQL Server Management Studio.

  4. On the Connect to server pane, do the following:

    • For Server type, select Database Engine.
    • For Server name, select sqlserver{uniqueid}.database.windows.net.
    • For Username, enter the username that was provided earlier.
    • For Password, enter the password that was provided earlier.
    • For Remember password, select Yes.
  5. Select Connect.

  6. On the left pane, select Databases. Optionally, you can create or query information from sample-db.

  7. Close the Remote Desktop connection to myVm{uniqueid}.

Clean up resources

When you no longer need the resources that you created with the private endpoint, delete the resource group. Doing so removes the private endpoint and all the related resources.

To delete the resource group, run the Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name <your resource group name>

Next steps

For more information about the services that support private endpoints, see: