Azure Private Link provides secure access to certain Azure PaaS services such as Azure SQL Database, Azure Storage, Azure Vault Services, MySQL Databases, Azure Cosmo DB via Microsoft backbone network. This will prevent sensitive data been transfer over the public internet. There are mainly two components in Azure Private Link.
Azure Private Endpoint – Azure private endpoint is a network interface that has a private ip address from a VNET. This allows us to connect to Azure services such as Azure vault, Azure Cosmo Database, Azure SQL database, Azure Storage etc. via Azure Private Link.
Azure Private Link Service – Azure Private Link service allows us to enable private access to our services which are placed behind Azure standard load balancer. Customers/Consumers can connect to these services via private endpoints placed in their own VNETs.
In this demo, I am going to demonstrate how to create Azure private endpoints and how we can access the Azure SQL database using it.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0
Let’s go ahead and start the configuration process by creating a new resource group.
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,
New-AzResourceGroup -Name REBELRG -Location “East US”
In the above, REBELRG is the resource group name and East US is the resource group location.
3. The next step is to create a new virtual network.
$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24” -PrivateEndpointNetworkPoliciesFlag “Disabled”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet
In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machine and private endpoint. In the above -PrivateEndpointNetworkPoliciesFlag is set to disable. This will disable applying network policies on private endpoint in the subnet.
4. We now have the virtual network ready. The next step is to create a new virtual machine for testing.
$mylogin = Get-Credential
New-AzVm -ResourceGroupName REBELRG -Name “REBELTVM01” -Location “East US” -VirtualNetworkName “REBELVN1” -SubnetName “vmsubnet” -addressprefix 10.0.2.0/24 -PublicIpAddressName “REBELVM01IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin
In the above, I am creating a virtual machine called REBELTVM01. It is running windows server 2019 data centre edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size.