Private Link Service Setup

Private Link Service requires completing the load balancer configuration with backend pools, health probes, and load balancing rules.

Backend pools define the target instances that will receive traffic from the load balancer.

Health probes monitor the availability of backend instances. Only healthy instances receive traffic.

Load balancing rules define how traffic flows from the frontend IP to the backend pool based on protocol and port configuration.

The Private Link Service references the load balancer frontend IP configuration and provides the private connectivity interface.

Private DNS Zone Configuration

Private DNS zones enable name resolution for private endpoints using service-specific naming conventions.

Each Azure service requires a specific private DNS zone name. Storage blob uses privatelink.blob.core.windows.net.

VNet links connect the private DNS zone to virtual networks, enabling DNS resolution within those VNets.

Auto-registration can be disabled for manual DNS record management and better control.

DNS A records map the service name to the private endpoint IP address. The record name must match the service name exactly.

Hybrid DNS Architecture

On-premises DNS integration requires conditional forwarding to resolve private endpoint names from on-premises networks.

The architecture uses conditional forwarders on on-premises DNS servers to forward Azure private DNS queries to Azure.

A DNS forwarder VM in Azure provides the forwarding target for on-premises conditional forwarders.

ExpressRoute or VPN provides the network connectivity between on-premises and Azure networks.

This enables seamless name resolution for on-premises clients accessing Azure services through private endpoints.

DNS Forwarder Implementation

The DNS forwarder VM runs BIND9 to forward DNS queries to Azure's internal DNS service at 168.63.129.16.

The VM requires a static IP address to provide a consistent target for on-premises conditional forwarders.

BIND9 configuration uses forward-only mode to forward all queries to Azure DNS without local resolution.

The forwarder enables resolution of both private DNS zones and public DNS names from on-premises networks.

Ubuntu provides a lightweight platform for the DNS forwarder with proven reliability for enterprise environments.

Traffic Flow Analysis

Understanding traffic flows helps with troubleshooting and network design validation.

On-premises traffic flow involves DNS resolution through conditional forwarding to Azure, followed by application traffic over ExpressRoute or VPN.

DNS queries go through on-premises DNS to the conditional forwarder, then to the Azure DNS forwarder VM, and finally to private DNS zones.

Application traffic flows directly from on-premises to the private endpoint IP address over the hybrid connection.

The private endpoint forwards traffic to the target Azure service over the Microsoft backbone network.

Multi-Service Architecture

Enterprise environments typically require private endpoints for multiple Azure services.

A centralized private endpoint subnet can host private endpoints for storage, SQL, Key Vault, and custom services.

Each service type requires its own private DNS zone with service-specific naming conventions.

Multiple private endpoints can coexist in the same subnet, each with unique private IP addresses.

This architecture scales linearly as additional services are added to the private network.

Security Implementation

Advanced security controls provide defense in depth beyond basic NSG rules.

Denying outbound internet access from private endpoint subnets prevents data exfiltration and lateral movement.

Log Analytics workspace provides centralized logging and monitoring for security events.

Diagnostic settings capture detailed logs for private endpoint connections and activities.

Security monitoring enables detection of anomalous traffic patterns and potential security incidents.

Cost Analysis

Private Link services have specific pricing models that affect total cost of ownership.

Private endpoints charge hourly fees plus data processing costs. Each endpoint costs approximately $7.20 per month plus $0.01 per GB processed.

Private Link Service has similar pricing for the provider side with availability and data processing charges.

DNS forwarder VMs add compute costs but can serve multiple VNets to optimize expenses.

Cost optimization strategies include consolidating endpoints and sharing DNS infrastructure across environments.

Troubleshooting Common Issues

DNS resolution problems are the most common issues with private endpoints.

Connectivity issues typically involve NSG rules, routing problems, or private endpoint configuration errors.

Certificate problems are rare since private endpoints use the same certificates as public endpoints.

Performance issues may involve bandwidth limitations or suboptimal routing configurations.

Diagnostic commands include nslookup for DNS testing, telnet for connectivity verification, and Azure CLI for resource status checks.

Implementation Checklist

Successful implementation requires systematic planning and execution across multiple phases.

Planning includes network design, IP addressing, DNS strategy, and security requirements.

Infrastructure deployment covers resource groups, virtual networks, and target services.

Private endpoint creation establishes secure connectivity to Azure services.

DNS configuration enables name resolution from all client locations.

Testing verifies connectivity and security controls before production deployment.

Complete Private Link Service Setup

# Create Backend Pool az network lb address-pool create \ --resource-group rg-private-link-demo \ --lb-name ilb-backend \ --name backend-pool # Create Health Probe az network lb probe create \ --resource-group rg-private-link-demo \ --lb-name ilb-backend \ --name health-probe \ --protocol Http \ --port 80 \ --path /health # Create Load Balancing Rule az network lb rule create \ --resource-group rg-private-link-demo \ --lb-name ilb-backend \ --name lb-rule \ --protocol Tcp \ --frontend-port 80 \ --backend-port 80 \ --frontend-ip-name frontend-ip \ --backend-pool-name backend-pool \ --probe-name health-probe # Create Private Link Service az network private-link-service create \ --resource-group rg-private-link-demo \ --name pls-backend-service \ --vnet-name vnet-provider \ --subnet subnet-private-link-service \ --lb-frontend-ip-configs /subscriptions/$(az account show --query id -o tsv)/resourceGroups/rg-private-link-demo/providers/Microsoft.Network/loadBalancers/ilb-backend/frontendIPConfigurations/frontend-ip \ --location eastus

Private DNS Zone Configuration

# Create Private DNS Zone az network private-dns zone create \ --resource-group rg-private-link-demo \ --name privatelink.blob.core.windows.net # Link DNS Zone to Virtual Network az network private-dns link vnet create \ --resource-group rg-private-link-demo \ --zone-name privatelink.blob.core.windows.net \ --name vnet-link \ --virtual-network vnet-private-link \ --registration-enabled false # Get Private Endpoint IP Address PE_IP=$(az network private-endpoint show \ --resource-group rg-private-link-demo \ --name pe-storage-blob \ --query 'customDnsConfigs[0].ipAddresses[0]' \ --output tsv) # Create DNS A Record az network private-dns record-set a add-record \ --resource-group rg-private-link-demo \ --zone-name privatelink.blob.core.windows.net \ --record-set-name mystoragepe \ --ipv4-address $PE_IP

DNS Zone Naming Conventions

  • Storage Blob: privatelink.blob.core.windows.net
  • SQL Database: privatelink.database.windows.net
  • Key Vault: privatelink.vaultcore.azure.net
  • Cosmos DB: privatelink.documents.azure.com

Hybrid DNS Architecture

graph TB subgraph "On-Premises Network" OnPremClient[On-Premises Client] OnPremDNS[On-Premises DNS Server] ConditionalForwarder[Conditional Forwarder] end subgraph "Azure Network" subgraph "Hub VNet" DNSForwarder[DNS Forwarder VM] end subgraph "Spoke VNet" PrivateEndpoint[Private Endpoint] PrivateDNSZone[Private DNS Zone] end ExpressRoute[ExpressRoute Connection] end OnPremClient --> OnPremDNS OnPremDNS --> ConditionalForwarder ConditionalForwarder --> ExpressRoute ExpressRoute --> DNSForwarder DNSForwarder --> PrivateDNSZone PrivateDNSZone --> PrivateEndpoint

Integration Components

  • Conditional Forwarder: Routes Azure DNS queries to Azure
  • DNS Forwarder VM: Forwards queries to private DNS zones
  • ExpressRoute: Provides hybrid connectivity

DNS Forwarder Implementation

# Create DNS Forwarder VM az vm create \ --resource-group rg-private-link-demo \ --name vm-dns-forwarder \ --image Ubuntu2204 \ --vnet-name vnet-private-link \ --subnet subnet-private-endpoints \ --private-ip-address 10.0.1.100 \ --admin-username azureuser \ --authentication-type ssh \ --ssh-key-values ~/.ssh/id_rsa.pub # Configure BIND9 DNS Forwarder az vm run-command invoke \ --resource-group rg-private-link-demo \ --name vm-dns-forwarder \ --command-id RunShellScript \ --scripts " sudo apt-get update sudo apt-get install -y bind9 bind9utils sudo tee /etc/bind/named.conf.options > /dev/null options { directory \"/var/cache/bind\"; recursion yes; allow-recursion { any; }; listen-on { any; }; allow-query { any; }; forwarders { 168.63.129.16; }; forward only; }; EOF sudo systemctl restart bind9 "

Configuration Requirements

  • Static IP: 10.0.1.100 for consistent forwarding target
  • Azure DNS: 168.63.129.16 provides private DNS resolution
  • Forward Only: Prevents local resolution conflicts

On-Premises Traffic Flow

sequenceDiagram participant OnPrem as On-Premises Client participant OnPremDNS as On-Premises DNS participant ExpressRoute as ExpressRoute participant DNSForwarder as DNS Forwarder participant PrivateDNS as Private DNS Zone participant PE as Private Endpoint participant Storage as Storage Account OnPrem->>OnPremDNS: 1. Query mystoragepe.blob.core.windows.net OnPremDNS->>ExpressRoute: 2. Forward to 10.0.1.100 ExpressRoute->>DNSForwarder: 3. Route to DNS Forwarder DNSForwarder->>PrivateDNS: 4. Query Private DNS Zone PrivateDNS->>DNSForwarder: 5. Return 10.0.1.4 DNSForwarder->>OnPremDNS: 6. Return Private IP OnPremDNS->>OnPrem: 7. Return 10.0.1.4 OnPrem->>ExpressRoute: 8. HTTPS to 10.0.1.4:443 ExpressRoute->>PE: 9. Route to Private Endpoint PE->>Storage: 10. Forward to Storage Account Storage->>PE: 11. Return Response PE->>OnPrem: 12. Response via ExpressRoute

Multi-Service Architecture

graph TB subgraph "Client Virtual Network" ClientVM[Client VM] end subgraph "Private Endpoint Subnet 10.0.1.0/24" PEStorage[PE Storage 10.0.1.4] PESQL[PE SQL 10.0.1.5] PEKeyVault[PE Key Vault 10.0.1.6] PECustom[PE Custom Service 10.0.1.7] end subgraph "Private DNS Zones" DNSBlob[privatelink.blob.core.windows.net] DNSSQL[privatelink.database.windows.net] DNSKeyVault[privatelink.vaultcore.azure.net] end subgraph "Azure Services" StorageAccount[Storage Account] SQLDatabase[SQL Database] KeyVault[Key Vault] CustomService[Custom Service] end ClientVM --> PEStorage ClientVM --> PESQL ClientVM --> PEKeyVault ClientVM --> PECustom PEStorage --> StorageAccount PESQL --> SQLDatabase PEKeyVault --> KeyVault PECustom --> CustomService

Advanced Security Controls

# Block Internet Access from PE Subnet az network nsg rule create \ --resource-group rg-private-link-demo \ --nsg-name nsg-private-endpoints \ --name deny-internet-outbound \ --protocol "*" \ --direction Outbound \ --priority 4000 \ --source-address-prefix "*" \ --source-port-range "*" \ --destination-address-prefix Internet \ --destination-port-range "*" \ --access Deny # Create Log Analytics Workspace az monitor log-analytics workspace create \ --resource-group rg-private-link-demo \ --workspace-name law-private-link-monitoring \ --location eastus # Enable Diagnostic Settings az monitor diagnostic-settings create \ --resource-group rg-private-link-demo \ --name pe-diagnostics \ --resource /subscriptions/$(az account show --query id -o tsv)/resourceGroups/rg-private-link-demo/providers/Microsoft.Network/privateEndpoints/pe-storage-blob \ --workspace /subscriptions/$(az account show --query id -o tsv)/resourceGroups/rg-private-link-demo/providers/Microsoft.OperationalInsights/workspaces/law-private-link-monitoring \ --logs '[{"category":"AllLogs","enabled":true}]'

Security Monitoring

  • Outbound Deny: Prevents internet access from PE subnet
  • Centralized Logging: Log Analytics for security events
  • Diagnostic Logs: Detailed connection and activity logs

Cost Analysis

Component Pricing Model Monthly Cost Notes
Private Endpoint Hourly + Data Processing $7.20 + $0.01/GB Per endpoint monthly
Private Link Service Availability + Data Processing $7.20 + $0.01/GB Provider charges
DNS Forwarder VM Compute + Storage $30-50 B1s or B2s VM size
Private DNS Zone Hosted Zone + Queries $0.50 + $0.40/M queries Low cost component

Optimization Strategies

  • Shared Infrastructure: One DNS forwarder for multiple VNets
  • Consolidation: Shared private endpoint subnets
  • Monitoring: Track data processing costs

Troubleshooting Guide

DNS Resolution

  • Verify private DNS zone configuration
  • Check VNet links exist
  • Validate A record entries
  • Test with nslookup command

Connectivity Issues

  • Review NSG rules and priorities
  • Check route table configuration
  • Verify private endpoint status
  • Use Network Watcher for tracing

Certificate Problems

  • Private endpoints use same certificates
  • Validate certificate trust chains
  • Check SAN entries match FQDNs
  • Test with curl or openssl

Performance Issues

  • Monitor bandwidth utilization
  • Check for routing loops
  • Review Azure Monitor metrics
  • Analyze connection patterns

Diagnostic Commands

# Test DNS Resolution nslookup mystoragepe.blob.core.windows.net # Test Connectivity telnet 10.0.1.4 443 # Check Private Endpoint Status az network private-endpoint show \ --name pe-storage-blob \ --resource-group rg-private-link-demo

Implementation Checklist

  1. Network Architecture Planning: Design VNet topology and IP addressing scheme
  2. Resource Group Creation: Organize resources for management and governance
  3. Virtual Network Deployment: Create VNets with appropriate address spaces
  4. Target Service Creation: Deploy storage accounts, databases, and other services
  5. Private Endpoint Configuration: Create private endpoints for each service
  6. Security Implementation: Configure NSGs, RBAC, and monitoring
  7. Private DNS Setup: Create zones and configure name resolution
  8. Hybrid DNS Configuration: Set up conditional forwarding for on-premises
  9. Connectivity Testing: Verify resolution and access from all locations
  10. Monitoring Deployment: Enable logging, alerts, and performance monitoring

Success Validation

  • ✅ Services accessible only via private IPs
  • ✅ DNS resolution working from all client locations
  • ✅ No public internet connectivity to services
  • ✅ Security controls properly configured and tested
  • ✅ Monitoring and alerting operational
11 / 20