Azure Private Link

Introduction:

This article is a continuation of the series of articles starting with the description of SignalR service. In this article, we follow up on the discussion of Azure Gateway service with what helps Azure Gateway span private IP addresses, public IP addresses and availability zones. We refer to the Azure Private Link Service and describe it this document.

Description and comparison:

Azure Private Link enables access to Azure Services over a virtual network so that they might be accessed over the Microsoft Backbone network rather than the public internet.  The service such as a cache provisioning service, a database provisioning service or a service bus broker service enables the corresponding provisioned resources to be accessed at their private endpoints via a virtual network that the user has setup for their application to interact with the services. Traffic between the virtual network and the services never goes to the internet providing benefits such as security, low latency, building and allowing private connections between resources as well as adding private endpoints to an application gateway backend pool.

The private link service is more than just the endpoint and its usage for a resource. It seamlessly connects customers to the Microsoft Azure resources and their client’s applications on a private network which would otherwise have required connectivity over the internet and the use of Virtual Private network (VPN). This provides a low cost, highly secure, and scalable environment that is a win-win for application, Microsoft cloud resources as well as the consumers that interact with those entities.

If the virtual network belonging to the client that has written the application involving the Microsoft Azure resources, is on-premises it can be directly connected to the Azure resources via this linking and avoids the use of ExpressRoute that traverses the internet. Similarly, it works on peered virtual networks.  Peered virtual networks appear as one to their client and resources on either network can access each other but it is used to connect separate virtual networks in the same Azure region or for global virtual networks that span different regions even if they are provisioned under different subscriptions and resource groups. Peering makes both networks appear as one where many resource in one network can access those in the other, but the links are cheap and efficient to perform only one mapping.  Azure Private Links can be setup for both the on-premises virtual network as well as the peered virtual network. All they need to do is create a private endpoint on their respective virtual networks so that the private endpoint can be linked to the Microsoft Azure resource. This private endpoint acts just like a proxy rather than the actual instance that would otherwise have required connectivity over the public internet.  When the private endpoint is mapped to the Azure service, an Azure resource called the “private link service” which connects to the standard load balancer of the corresponding Azure service on its backend.  The link is always between the private endpoint on the customer’s virtual network and the Azure Private Link Service object provisioned by this service.

Private connectivity facilitated by this service is preferred to the public connectivity for data protection, simpler network configuration, low latency for same region, global reach for cross-region access, and bringing together applications and services on a private network. The last one mentioned as a benefit is realized when the service written by an Azure customer can put it behind a standard load balancer and map to one another via this private link. The Azure Private Link can be setup for such load balancer regardless of whether it is an Azure service or the Azure customers’ service.

Conclusion:

Azure Private Links enhance the ability of the Azure customer to connect their applications and those of their customers to talk directly to Azure Services on a private network.