
What is a Private Endpoint?
A Private Endpoint projects an Azure service into your VNet by assigning a private IP address to that service inside a subnet. DNS resolves the service’s FQDN to the Private Endpoint’s private IP, so traffic between your compute resources and the service flows entirely over the Microsoft backbone.
- Access to the mapped resource is provided over a private IP.
- External internet requests cannot reach your SQL servers or other services.
- Exposure to brute-force or port-scan attacks is minimized while full functionality is preserved via private connectivity.
What is a Private Link service?
A Private Link service is how a provider privately publishes an application to consumers. Read the next diagram from left to right: the consumer network connects privately to the provider network over the Azure backbone (no public internet). The consumer creates a Private Endpoint (for example,10.0.1.5)—a NIC in the consumer VNet. DNS resolves the service name to that private IP. A dotted line represents the Private Link, bridging the consumer’s Private Endpoint to the provider’s Private Link service. On the provider side, the Private Link service typically fronts a Standard Load Balancer and fans out to VMs or instances. The provider controls and approves which consumers can connect.

Quick concept summary
Demonstration: Private Endpoint in the Azure portal
The following demo reuses a VM that currently resolves a storage account to a public IP. We’ll create a Private Endpoint and show DNS and connectivity changes. First, observe the storage account resolving from the VM (public IP):
Create a Private Endpoint
When creating a Private Endpoint for the storage account, use these typical settings:- Resource group: same RG as the VM (for demo convenience).
- Name: e.g.,
pest(Azure will append-nicto create the network interface). - Region: choose your region (e.g., East US).
- Resource: select the target storage account and the service (Blob).
- Virtual network/subnet: you can reuse the VM subnet for labs; in production use a dedicated subnet for Private Endpoints.
- IP allocation: dynamic is common for demos.
- Integrate with Azure Private DNS zones (easiest for Azure-provided DNS).
- Manage DNS yourself (custom DNS server, conditional forwarders, or a Private Resolver), which requires extra configuration for on-premises access.

For Azure VMs using Azure-provided DNS, integrating the Private Endpoint with an Azure Private DNS zone (for example,
privatelink.blob.core.windows.net) is the simplest approach. On-premises access requires DNS forwarding or a Private Resolver and additional configuration.Private Endpoints are implemented as NICs in your subnet and obey routing, NSGs, and UDRs. User-defined routes that force traffic to a firewall or on-premises (for example, forced tunneling) can break Private Endpoint connectivity. Ensure UDRs, firewalls/NVAs (including SNAT behavior), and NSGs permit traffic to and from the Private Endpoint and the Microsoft backbone.


privatelink.blob.core.windows.net). After DNS integration completes, name resolution from the VM (which uses Azure DNS) should return the private IP allocated to the endpoint (e.g., 10.0.1.5):

10.0.1.4) and the storage account flows from the VM to the Private Endpoint IP (10.0.1.5) over the Microsoft backbone—no public IP is involved.
Front Door + Private Link (brief)
If you use Azure Front Door (Premium) with backend origin groups, you can enable Private Link for origin groups so Front Door accesses your App Service via the Private Endpoint. This lets you disable public access to the App Service completely. Note: App Service Private Link is supported on Standard and higher SKUs (not on free tiers).References and further reading
- Azure Private Link overview
- Private Endpoint DNS integration
- Azure Front Door + Private Link (Premium)
- Azure networking concepts