Azure Private Link and Azure Private Endpoint

Introduction:  

This article is a continuation of the series of articles starting with the description of SignalR service. In this article, we follow up on the discussion of Azure Gateway service with what helps Azure Gateway span private IP addresses, public IP addresses and availability zones. The topic in this article is Azure Private Link and its usage with the Azure Private endpoint. 

 

Description and comparison: 

Azure Private Link enables access to Azure Services over a virtual network so that they might be accessed over the Azure Backbone network rather than the public internet.  An Azure service such as a cache provisioning service, a database provisioning service or a service bus broker service enables the corresponding provisioned resources to be accessed at their private endpoints via a virtual network that the user has setup for their application to interact with the services. Traffic between the virtual network and the services never goes to the internet providing benefits such as security, low latency, building and allowing private connections between resources as well as adding private endpoints to an application gateway backend pool. 

The private link service is more than just the endpoint and its usage for a resource. It seamlessly connects customers to the Microsoft Azure resources and their client’s applications on a private network which would otherwise have required connectivity over the internet and the use of Virtual Private network (VPN). This provides a low cost, highly secure, and scalable environment that is a win-win for application, Microsoft cloud resources as well as the consumers that interact with those entities.  

The benefit of using Azure Private Link include the privately accessed services on Azure platform because services written by Azure customers can now be put behind a load balancer to give it a private ip and then used with this service to communicate with one another using the private network.  Connectivity between the customer’s virtual network and another service is now established one-on-one by this service. All that this customer needs to do is expose a private endpoint for the service. The private link platform will handle the connectivity over the Azure Backbone network.

This differs from the peered network in that the peered network allows many-to-many connectivity between the resources of either private network. Peered virtual networks appear as one to their client and resources on either network can access each other but it is used to connect separate virtual networks in the same Azure region or for global virtual networks that span different regions even if they are provisioned under different subscriptions and resource groups. Peering makes both networks appear as one where many resource in one network can access those in the other, but the links are cheap and efficient to perform only one mapping. 

Azure Private Links can be set up for both on-premises network as well as peered virtual networks but without the overhead of ExpressRoute and Virtual Private Network (VPN). The link is always between the private endpoint on the customer’s virtual network and the Azure Private Link Service object provisioned by this service. 

The link provides better protection against data exposure because it never transits the public internet. Also, other than the destination of the link, the traffic cannot be routed to another resource. All overheads associated with restricting access to service endpoints are now eliminated.

Yet there is no difference in reachability of the resource from anywhere in the world. The public endpoints were accessible over the internet and even when provisioned geographically were available to be accessed from anywhere making them hugely popular. The virtual networks always required additional setup and configuration to make them be accessible universally. This is not the case with a private link. It has global reach and yet the data never goes over the internet.

The Azure private endpoint is merely a network interface and has a designated ip address that can be reached over the virtual network. The endpoint can be accessed over the same virtual network, regionally peered virtual network, globally peered virtual network, on-premises using ExpressRoute or VPN and services with Azure Private Link. The connection to the private endpoint is always one-direction. It can only be initiated by the client. Some restrictions apply to the Azure private endpoint. For example, there are limits to the number of private endpoints that can be created per subscription. The resource and the virtual network must be in the same region otherwise there will be an error as follows: “Resource 

/subscriptions/<hidden>/resourceGroups/RAVIRAJAMANI_TEST_RG/providers/Microsoft.Network/virtualNetworks/RAVIRAJAMANI-VNET-1 referenced by resource /subscriptions/<hidden>/resourceGroups/ravirajamani_test_rg/providers/Microsoft.Network/privateEndpoints/ravirajamani-redis-3-ep was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.”

 

Conclusion:

The use of private endpoints and private link from Azure is beneficial for the topology used with an architecture for the services. Its applicability is justified by the relevance of its benefits and almost wins hands-down in terms of avoiding the internet. This provides a low cost, highly secure, and scalable environment that is a win-win for application, Microsoft cloud resources as well as the consumers that interact with those entities.