AZ-305 – Microsoft Azure Solutions Architect Expert- Design a Networking Strategy Part 3

6. Private Endpoints

So in this video we’re going to be talking about private endpoints and that’s going to lead us to private links as well. Now for many services in Azure when you go to create the service and you go to the networking tab, you have the choice between public endpoints or private endpoints. And so far we typically choose public endpoints points. What this results for? This is a case of a storage account is an endpoint, a public rest API endpoint that anyone can access. So the service itself is running publicly. Now they can access it but they don’t have the access keys and so they won’t be able to successfully get inside of your storage account. So it’s like the door is there but the door is locked.

Okay? Now the other thing you can do of course is tie your public endpoint to a virtual network. And when you tie it to a virtual network, let’s in this case tie it to one of the spokes, what you end up doing is you end up allowing traffic to travel over your network and then you can protect that traffic, right? So you’re basically putting yourself in a position where you can have firewalls network security groups. You can basically do the usual virtual networking protection against this. It’s still a public endpoint, but you can have the firewall standing in between or the route table and things like that.

The final selection is this private endpoint, which is what I wanted to talk to you about in this video. Now the private endpoint basically means there’s no door. There is no way for anyone outside of Azure to connect to your storage account. Not even you could connect to your storage account only from this private endpoint unless you have another way of connecting into Azure, for instance, a VPN or something. So private endpoint is basically just a network device, much like a network interface card that allows the Microsoft network to connect to this as opposed to the public network. So Microsoft’s backbone connects to the storage instead of the public network. So in order to do this we have to create what’s called a private endpoint.

So as we saw, we create a storage account in the normal way. We go check private endpoint from the connectivity method and we get down here to where it says private endpoint and we can say add. Now private endpoint is its own thing. Like I said, it’s best thought of as a network device or a network interface card. I’m going to place this private endpoint onto my test resource group here. I’m going to give it a name. Now it is trying to access a Blob. Now I could say I want to access a table queue, static website, et cetera. Let’s make the Blob the thing that it’s trying to access. Now the other thing is what do we want to attach this to? So in this case we’re going to have to this virtual network obviously doesn’t have or not the virtual. We want to do it to one of the spokes.

So attaching to the spoke. Basically it’s going to attach to the only VNet subnet that has to do with the spoke. Notice the warning here that says if you have a NSG enabled for the subnet, it will be disabled for private endpoints on this subnet only. So soon as you attach a private endpoint, your network security group, which is perhaps protecting your network incoming and outgoing traffic, doesn’t apply. Effectively, NSG does not apply to this private network. But you’re opening up basically a door onto Microsoft’s internal network and not onto the public network. So this does tie into the private DNS zone. We are going to need to create a private DNS zone or already have one. And so it’s going to, I’m going to say yes, allow it to create the private DNS zone. It’s going to attempt to create DNA zone using this name. I wonder if that is even going to oh, it’s the it’s the intimicrosoft private DNS zone. So we can that’s okay. All right, I’m going to say okay.

Now notice that I’m allowing Microsoft network routing because we’re using the private endpoint. That is the preferred way. So I’m going to skip right to the end here and if I click create here, I’m basically going to be creating a storage account that can only be accessed onto a very specific network. We linked it to the spoke, one of our hub and spoke demo and it’s not even going to be accessible. There won’t even be a public URL to access the storage account.

Now, storage accounts are not the only service that support this. So I’ve been showing you a storage account as a demo, but many different services support it. So let’s look at I’m going to pull in the Microsoft documentation here and we can see that anything behind a load balancer. So that could be virtual machines that have public connectivity turned off. You could have what’s called Azure Private Link and we can show you about that in a second. I just demonstrated the Azure Blob storage. Q SQL Database, synapse analytics, cosmos. DB. Another kind of database services. MySQL PostgreSQL you can put your key vault behind such a private link.

Kubernetes, of course container registry if you don’t want your images to be accessible on the Internet or even discoverable service bus relay web apps. Even so, for years people have been asking for a way to have web apps that are not publicly accessible. And this private endpoint is one way. Notice though that you have to be on a premium V two, effectively a premium plan for web apps in order to have this access machine learning automation. So tons and tons and tons of Azure public services are now available, generally available using this type of private link. So that owns only applications that connect to the private link service can get access to them and not publicly available.

7. Private Link Service

So with the storage account it might look actually like a normal storage account. It doesn’t scream to you that it’s a private endpoint only. And in fact, if you go into the properties of the storage account it even has the normal URL set up for contacting this. But if we go under the resource group and we can go under the endpoint, we can see here first of all there’s a network interface card that’s been added to our resources. That is the nic part of the endpoint. Then there’s the endpoint itself. The endpoint is attached to the subnet. It has that nick cart. And if we go under DNS configuration we can see that it’s basically pointing this endpoint which is the private test blob to a private IP address. So this should not be accessible from outside. This is what the IP needs to be.

So to be configured correctly, the following are required in your private DNS setup we have our private DNS setup and so we can see that the AZ SJD private test is in fact pointing to that IP address. So when we deployed it, it actually did get created properly. Again, this is a private DNS. So in order for any of our virtual machines to use the storage it’s going to have to recognize this private link. Now we did attach this to the virtual network and so the virtual network VNet spoke one if we created resources on that network would have access to this storage account privately. Now in a related service we were talking about private endpoints and we set up private endpoint for our storage accounts. But if we wanted to set up a private endpoint for our own virtual machines there is a way to do that. And so we could have this private endpoint that exists for our back end living inside of our front end have deny rules on the NSG. So deny outbound and deny inbound.

So theoretically there’s no traffic allowed between these particular virtual networks. But because you set up this private endpoint it is again a private connection and you get the endpoint on one side and you’ll have the private link service basically as the server on the other. And this becomes like a proxy if you will. The Azure private link actually has a dashboard so I’m going to minimize that. And if we go under we search for private link in the marketplace and we go inside of it. We’re taken to the private link center and so we can see the diagram very similar to what we just saw which was some sort of front end, some sort of back end and a private link that manages the connection. In fact, if we go into the private endpoints of the private link center we can see the endpoint that we created for the storage account. If we wanted to create private link for our we don’t even have virtual machines but if we created a load balancer onto one of those networks and we could create a private link that allowed the connection between the two. At least we can see the active connections, pending connections, the status of it. We can approve stuff and deny stuff, et cetera. So connection state. It becomes a centralized way to look at how your private connections are talking to each other.

• Category: Uncategorized