Quickstart: Create a Private Endpoint using Azure PowerShell
Get started with Azure Private Link by using a private endpoint to connect securely to Azure Attestation.
In this quickstart, you'll create a private endpoint for Azure Attestation and deploy a virtual machine to test the private connection.
Note
The current implementation only includes automatic approval option. The subscription must be added to an allow list to be able to proceed with private endpoint creation. Please reach out to the service team or submit an Azure support request on the Azure support page before proceeding with the below steps.
Prerequisites
Create a resource group
An Azure resource group is a logical container into which Azure resources are deployed and managed.
Create a resource group with New-AzResourceGroup:
## Create to your Azure account subscription and create a resource group in a desired location. ##
Connect-AzAccount
Set-AzSubscription "mySubscription"
$rg = "CreateAttestationPrivateLinkTutorial-rg"
$loc= "eastus"
New-AzResourceGroup -Name $rg -Location $loc
Create a virtual network and bastion host
In this section, you'll create a virtual network, subnet, and bastion host.
The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
Create a virtual network and bastion host with:
## Create backend subnet config. ##
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24
## Create Azure Bastion subnet. ##
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24
## Create the virtual network. ##
$vnet = New-AzVirtualNetwork -Name "myAttestationTutorialVNet" -ResourceGroupName $rg -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnetConfig, $bastsubnetConfig
## Create public IP address for bastion host. ##
$publicip = New-AzPublicIpAddress -Name "myBastionIP" -ResourceGroupName $rg -Location $loc -Sku "Standard" -AllocationMethod "Static"
## Create bastion host ##
New-AzBastion -ResourceGroupName $rg -Name "myBastion" -PublicIpAddress $publicip -VirtualNetwork $vnet
It can take a few minutes for the Azure Bastion host to deploy.
Create test virtual machine
In this section, you'll create a virtual machine that will be used to test the private endpoint.
Create the virtual machine with:
- Get-Credential
- New-AzNetworkInterface
- New-AzVM
- New-AzVMConfig
- Set-AzVMOperatingSystem
- Set-AzVMSourceImage
- Add-AzVMNetworkInterface
## Set credentials for server admin and password. ##
$cred = Get-Credential
## Command to create network interface for VM ##
$nicVM = New-AzNetworkInterface -Name "myNicVM" -ResourceGroupName $rg -Location $loc -Subnet $vnet.Subnets[0]
## Create a virtual machine configuration.##
$vmConfig = New-AzVMConfig -VMName "myVM" -VMSize "Standard_DS1_v2" | Set-AzVMOperatingSystem -Windows -ComputerName "myVM" -Credential $cred | Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2019-Datacenter" -Version "latest" | Add-AzVMNetworkInterface -Id $nicVM.Id
## Create the virtual machine ##
New-AzVM -ResourceGroupName $rg -Location $loc -VM $vmConfig
Create an attestation provider
## Create an attestation provider ##
$attestationProviderName = "myattestationprovider"
$attestationProvider = New-AzAttestation -Name $attestationProviderName -ResourceGroupName $rg -Location $loc
$attestationProviderId = $attestationProvider.Id
Access the attestation provider from local machine
Enter nslookup <provider-name>.attest.azure.net. Replace <provider-name> with the name of the attestation provider instance you created in the previous steps.
## Access the attestation provider from local machine ##
nslookup myattestationprovider.eus.attest.azure.net
<# You'll receive a message similar to what is displayed below:
Server: cdns01.comcast.net
Address: 2001:558:feed::1
Non-authoritative answer:
Name: eus.service.attest.azure.net
Address: 20.62.219.160
Aliases: myattestationprovider.eus.attest.azure.net
attesteusatm.trafficmanager.net
#>
Create private endpoint
In this section, you'll create the private endpoint and connection using:
## Create private endpoint connection. ##
$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "myConnection" -PrivateLinkServiceId $attestationProviderId -GroupID "Standard"
## Disable private endpoint network policy ##
$vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"
$vnet | Set-AzVirtualNetwork
## Create private endpoint
New-AzPrivateEndpoint -ResourceGroupName $rg -Name "myPrivateEndpoint" -Location $loc -Subnet $vnet.Subnets[0] -PrivateLinkServiceConnection $privateEndpointConnection
Configure the private DNS zone
In this section you'll create and configure the private DNS zone using:
- New-AzPrivateDnsZone
- New-AzPrivateDnsVirtualNetworkLink
- New-AzPrivateDnsZoneConfig
- New-AzPrivateDnsZoneGroup
## Create private dns zone. ##
$zone = New-AzPrivateDnsZone -ResourceGroupName $rg -Name "privatelink.attest.azure.net"
## Create dns network link. ##
$link = New-AzPrivateDnsVirtualNetworkLink -ResourceGroupName $rg -ZoneName "privatelink.attest.azure.net" -Name "myLink" -VirtualNetworkId $vnet.Id
## Create DNS configuration ##
$config = New-AzPrivateDnsZoneConfig -Name "privatelink.attest.azure.net" -PrivateDnsZoneId $zone.ResourceId
## Create DNS zone group. ##
New-AzPrivateDnsZoneGroup -ResourceGroupName $rg -PrivateEndpointName "myPrivateEndpoint" -Name "myZoneGroup" -PrivateDnsZoneConfig $config
Test connectivity to private endpoint
In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.
Sign in to the Azure portal.
Select Resource groups in the left-hand navigation pane.
Select CreateAttestationPrivateLinkTutorial-rg.
Select myVM.
On the overview page for myVM, select Connect then Bastion.
Select the blue Use Bastion button.
Enter the username and password that you entered during the virtual machine creation.
Open Windows PowerShell on the server after you connect.
Enter
nslookup <provider-name>.attest.azure.net. Replace <provider-name> with the name of the attestation provider instance you created in the previous steps:## Access the attestation provider from local machine ## nslookup myattestationprovider.eus.attest.azure.net <# You'll receive a message similar to what is displayed below: Server: cdns01.comcast.net Address: 2001:558:feed::1 cdns01.comcast.net can't find myattestationprovider.eus.attest.azure.net: Non-existent domain #> ## Access the attestation provider from the VM created in the same virtual network as the private endpoint. ## nslookup myattestationprovider.eus.attest.azure.net <# You'll receive a message similar to what is displayed below: Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: myattestationprovider.eastus.test.attest.azure.net #>