The need to be able to access data and services in Azure in a totally private and secure way, in particular from on-premises environment, it's definitely very much felt and more and more widespread. For this reason, Microsoft has announced the availability of Azure Private Link, this simplifies the network architecture by establishing a private connection to services in Azure, without the need for exposure to Internet. This article describes the characteristics of this type of connectivity and how you can enable it.
Thanks to Azure Private Link you can bring Azure services to a virtual network and map them with a private endpoint. In this way, all traffic is routed through the private endpoint, keeping it on the Microsoft global network. The data does not pass ever on the Internet, this reduces exposure to threats and helps to meet the compliance standards.
Figure 1 - Overview of Azure Private Link
The concept that underlies Azure Private Link is already partly known under the Azure networking and invokes the Virtual Network Service Endpoints. Before the introduction of Azure Private Link the only available way to increase the level of security when accessing Azure services, such as Azure Storage and SQL Azure Database, was given by the VNet Service Endpoints. The difference is substantial, as using VNet Service Endpoints traffic remains in the Microsoft backbone network, allowing access to PaaS resources only from its own VNet, but the PaaS endpoint is still accessed via the public IP of the service. Consequently, the operating principle of the VNet Service Endpoints does not extend to on-premises world even in the presence of connectivity with Azure (VPN or ExpressRoute). In fact,, to provide access from on-premises systems you must continue to use the firewall rules to limit the connectivity only to your public IP.
Thanks to Azure Private Link you can instead access the PaaS resources via a private IP address of your VNet, which it is potentially also accessible from:
- On-premises systems via Azure ExpressRoute private peering andor Azure VPN gateways.
- Systems on VNet in peering.
All traffic resides within the Microsoft network and you do not need to configure access through public IPs of the PaaS Service.
Figure 2 – Access from on-premises and peered networks
Azure Private Link greatly simplifies the way you can access Azure services (Azure PaaS, Azure, Microsoft partners and private services) as they support cross configurations for Azure Active Directory (Azure AD) tenants.
Figure 3 – Private Link cross Azure Active Directory (Azure AD) tenants
Activating Azure Private link it's simple and requires a limited number of Azure networking-side configurations. Connectivity occurs based on a call approval flow and when a PaaS resource is mapped to a private endpoint, route table and Network Security Groups configuration is not required (NSG).
Since Private link center you can create new services and manage the configuration or configure existing services to take advantage of Private link.
Figure 4 - Starting Configuration from Private link center
Figure 5 - Creating an Azure Storage Account to make it privately accessible
Figure 6 - Classical parameters for the creation of an storage account
Figure 7 - Private endpoint configuration
Figure 8 - Private endpoint connection present in the created storage accounts
At this point the storage account will be available in totally private way. To test the connectivity access a virtual machine was created and verified through "Connection troubleshoot":
Figure 9 – Test performed by "Connection troubleshoot" that demonstrates private connectivity
To connect with each other more Azure Virtual Network are typically used VNet peering, that require there are no overlaps in VNets address spaces. If this condition occurs it is possible to adopt the Azure Private Link as an alternative way to privately connect applications that reside in different VNets with an overlapping address space.
Figure 10 – Azure Private Link in the presence of overlapping address space
Azure Private Link features allow you to have specific access only to explicitly mapped resources. In the event of a security incident within your VNet, this mechanism eliminates the threat of extracting data from other resources using the same endpoint.
Figure 11 - Targeted access only to explicitly mapped resources
The Azure Private Link also opens new scenarios for exposure of service in Azure provided by the service provider. In order to allow access to the services provided to its customers, one of these methods was typically carried out in one of these ways.:
- They made themselves directly accessible via Public IPs.
- To make them private, VNet peerings were created, but with scalability issues and potential IP conflicts.
Figure 12 - How Azure Private Links changing scenarios "Consumer Service" - "Service Provider".
The new possibilities that are offered in these scenarios, requiring a totally private access to the service provided, is the following:
- Service Provider: set up an Azure Standard Load Balancer, creates a Azure Private Link and allows access to the Service Consumer coming from a different VNet, subscription, or Azure Active Directory tenant (AD).
- Service consumer: create a Private Endpoint in the specific VNet and request access to the service.
Figure 13 – Azure Private Link workflow in “Service Consumer”-“Service Provider” scenario
For more details please visit the Microsoft's official documentation.
Conclusions
This new method allows you to privately consume Azure-delivered solutions within your network infrastructure. This is an important change that you should definitely consider when designing network architectures in Azure, particularly for hybrid scenarios. At the moment the service is in preview, therefore not yet usable for production environments and available for a limited set of Azure services. In the coming months, however, Microsoft has announced that it will also make this feature available to other Azure services and partners, allowing you to have a private connectivity experience, key to having more adoption and dissemination of these services.
