2 min read
Azure Private Link: Secure Access to PaaS Services
Azure Private Link brings PaaS services into your VNet. No public internet exposure, traffic stays on Microsoft’s backbone.
The Problem
By default, Azure PaaS services (Storage, SQL, Cosmos DB) have public endpoints. Even with firewall rules, data transits the public internet.
Private Endpoint Setup
resource "azurerm_private_endpoint" "storage" {
name = "storage-private-endpoint"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet_id = azurerm_subnet.endpoints.id
private_service_connection {
name = "storage-connection"
private_connection_resource_id = azurerm_storage_account.main.id
subresource_names = ["blob"]
is_manual_connection = false
}
}
resource "azurerm_private_dns_zone" "blob" {
name = "privatelink.blob.core.windows.net"
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "blob" {
name = "blob-dns-link"
resource_group_name = azurerm_resource_group.main.name
private_dns_zone_name = azurerm_private_dns_zone.blob.name
virtual_network_id = azurerm_virtual_network.main.id
}How It Works
- Create private endpoint in your subnet
- Azure assigns a private IP from your VNet
- Configure private DNS zone for name resolution
- Applications resolve to private IP instead of public
Supported Services
- Azure Storage (blob, file, table, queue)
- Azure SQL Database
- Azure Cosmos DB
- Azure Key Vault
- Azure Container Registry
- Azure Kubernetes Service
- And many more…
Disable Public Access
# Disable public access to storage
az storage account update \
--name mystorageaccount \
--resource-group myrg \
--default-action Deny \
--public-network-access DisabledNow the storage account is only accessible from within your VNet. Zero exposure to the internet.