Introduction

What is a Private Endpoint?
How Private Link works — high level
Key properties of a private endpoint
Benefits and common use cases
Next steps and references

Azure Private Link provides secure, private connectivity from your virtual network to Azure services — such as Storage Accounts, SQL Database, and Web Apps — by bringing the service into your virtual network via a private IP address. This lesson explains what Private Link is, how a private endpoint works, and the role of a Private Link service including approval and connection workflows. A private endpoint is a network interface (NIC) with a private IP address in your virtual network that is used to privately and securely connect to an Azure resource. Private Link services expose service resources over private endpoints so that traffic stays on the Microsoft backbone network instead of traversing the public internet.

A slide titled "Learning objectives" with a blue gradient panel on the left. On the right are three numbered objectives about Private Link: how it enables private access to Azure services, what a Private Endpoint is, and the purpose of Private Link Service.

Azure Private Link is ideal when you need private connectivity to platform services or partner/customer-hosted services without exposing endpoints to the public internet. It simplifies network architecture and improves security posture by keeping traffic on the Azure backbone.

What is a Private Endpoint?

A private endpoint is a virtual network interface (NIC) with a private IP address from your VNet address space.
It maps to a specific Azure resource (the associated resource) and may reference a specific sub-resource (for example, a blob or table in a storage account).
DNS resolves the service’s FQDN to the private IP assigned to the private endpoint when configured correctly.

If DNS is not configured for the private endpoint (or if clients use public DNS that resolves to the public IP), traffic may still go over the public internet. Ensure you update DNS records or use Azure Private DNS zones for correct name resolution.

How Private Link works — high level

Service owner exposes a Private Link service (PaaS resource or customer/partner service).
Consumer creates a private endpoint in their VNet that targets the Private Link resource.
A private IP is assigned to the private endpoint; network traffic to that service flows over the private IP across the Azure backbone.
Connection approval: depending on configuration, the service owner can require manual approval for connections to their Private Link service.
DNS must be updated so the target service FQDN resolves to the private endpoint IP — Azure Private DNS zones are commonly used.

Key properties of a private endpoint

Property	Purpose	Notes / Example
Associated resource	The Azure resource the private endpoint connects to	`mystorageaccount.blob.core.windows.net`
Sub-resource	Specific service interface on the resource (if applicable)	For Storage: `blob`, `file`, `table`, `queue`
Private IP	The IP address assigned from your VNet	Used for routing from clients in the VNet
Connection approval	Whether owner approval is required	Manual approval or auto-approve for same-subscription resources
DNS behavior	How the service FQDN resolves to the private IP	Use Azure Private DNS zones or custom DNS forwarding
Network policies	Whether NIC-level policies apply (NSG, routing)	Configure NSGs on subnet where private endpoint resides

Benefits and common use cases

Secure access to Azure PaaS services without public IP exposure.
Connect customer-managed or partner services privately across subscriptions or tenants.
Simplify network security by restricting access to resources via private IPs.
Reduce attack surface and meet compliance requirements for private connectivity.

Next steps and references

Read the official Azure Private Link overview and Private Endpoint concepts for deployment details:
- Azure Private Link overview
- Private Endpoint overview

Use these resources to plan DNS, approval workflows, and subnet configuration when implementing Private Link in production.

Watch Video

Using Network Watcher

Integrating with DNS

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Introduction

What is a Private Endpoint?

How Private Link works — high level

Key properties of a private endpoint

Benefits and common use cases

Next steps and references

Watch Video

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​What is a Private Endpoint?

​How Private Link works — high level

​Key properties of a private endpoint

​Benefits and common use cases

​Next steps and references

Watch Video

What is a Private Endpoint?

How Private Link works — high level

Key properties of a private endpoint

Benefits and common use cases

Next steps and references