- What a Private Endpoint is and why you use it
- A Private Endpoint is a network interface (NIC) with a private IP address in your virtual network (
VNet) that privately and securely connects to an Azure service over the Microsoft backbone network.
- A Private Endpoint is a network interface (NIC) with a private IP address in your virtual network (
- What a Private Link Service is and how it’s used
- A Private Link Service is a service fronted by a NIC in a
VNetthat exposes a service privately to other VNets or tenants via Private Endpoints.
- A Private Link Service is a service fronted by a NIC in a
- How Private Link works end-to-end, including approval workflows
- Key properties of a Private Endpoint: target resource and subresource (group IDs), DNS behavior, connection state, and IP/subnet details
- Operational notes for creating, approving, and troubleshooting Private Endpoint connections
Private Endpoint traffic flows over the Azure backbone, providing private connectivity to platform or customer services without exposing traffic to the public internet.
Why use Azure Private Link?
Azure Private Link ensures that traffic between your virtual network and the target service remains on the Microsoft network. This reduces exposure to the public internet, helps meet compliance requirements, and improves security posture for services such as:- Azure Storage (Blobs, Files)
- Azure SQL
- Azure App Service
- Partner or customer-hosted services exposed via Private Link Service
Private Endpoint vs Private Link Service — Quick comparison
Key properties of a Private Endpoint
How Private Link works (end-to-end)
- Consumer creates a Private Endpoint in their
VNet, specifying:- The target resource (or the target Private Link Service)
- The subresource /
groupId(if applicable) - A subnet and private IP for the endpoint
- If the target requires approval, the owner receives a connection request and can approve or reject it (approval workflow)
- Once approved, Azure provisions the network connectivity: the Private Endpoint’s
NICis associated with the target resource via the Microsoft backbone - DNS must be configured so that the service’s FQDN resolves to the Private Endpoint’s private IP from the consumer
VNet - Client traffic flows over the Azure backbone to the service—no public internet traversal
Typical Private Link workflow (concise steps)
- Create Private Endpoint in consumer
VNet - If needed, submit connection request to service owner
- Service owner approves (or rejects) request
- Configure DNS (Azure Private DNS or custom DNS) so the service hostname resolves to the private IP
- Test and validate connectivity
DNS configuration is critical: without proper DNS mapping the service hostname will resolve to a public endpoint and traffic can fail to use the Private Endpoint. Configure Azure Private DNS Zones or your custom DNS to point the service FQDN to the Private Endpoint private IP.
DNS recommendations
- Use Azure Private DNS zones where possible (for example,
privatelink.blob.core.windows.net), and link the Private DNS zone to yourVNet. - If you run a custom DNS solution, create records so the service FQDN resolves to the Private Endpoint private IP.
- Verify resolution from resources in the
VNetwith standard tools (e.g.,nslookup,dig).
Troubleshooting checklist
- Verify the Private Endpoint’s
Connection State(approved/connected). - Confirm the endpoint’s private IP and subnet are correct and routeable.
- Ensure NSGs and UDRs do not block required traffic to the Private Endpoint.
- Check DNS resolution inside the
VNetto confirm the service FQDN resolves to the private IP. - Validate whether the target resource requires a specific
groupId(subresource) and that the Private Endpoint is configured accordingly.
Links and references
- Azure Private Link documentation
- Azure Private Endpoint overview
- Azure Private Link DNS configuration guidance