A private endpoint in Azure is a network interface that connects you privately and securely to a service operated by Azure Private Link. The private endpoint uses a private IP address in your VNet and effectively integrates the service into your VNet. This can be an Azure service such as Azure Storage, Azure Cosmos DB, SQL etc. or your own Private Link service.
If you provide a PaaS service on Azure, it is automatically assigned a public DNS name and also a public IP, which is generally accessible to everyone on the Internet.
With private endpoints, you also receive an internal IP in the VNet for the PaaS services in addition to the external IP. This means that additional firewall rules can be used to prevent the PaaS service from being accessible on the Internet. The service is therefore only accessible via the internal, self-managed VNET, which serves to increase security by significantly reducing the attack surface.
Private endpoints can currently be used for the following Azure PaaS services:
- Private link service (your own service)
- Azure Automation
- Azure SQL database
- Azure Synapse Analytics
- Azure Storage
- Azure Data Lake Storage Gen2
- Azure Cosmos DB
- Azure Database for PostgreSQL
- Azure Database for MySQL
- Azure Database for MariaDB
- Azure IoT Hub
- Azure Key Vault
- Azure Kubernetes Service
- Azure Search
- Azure Container Registry
- Azure App Configuration
- Azure Backup
- Azure Event Hub
- Azure Service Bus
- Azure Relay
- Azure Event Grid
- Azure App Service
- Azure Machine Learning
- SignalR
- Azure Monitor
- Cognitive Services
- Azure File Sync
Like private endpoints, service endpoints also provide the option of accessing PaaS resources only from certain VNETs. The difference, however, is that the PaaS services do not have the endpoints within a VNET, whereas with private endpoints you receive an IP within the VNET.
Existing PaaS service
A VNet and a subnet must exist so that the existing PaaS resource can be integrated into a virtual network in Azure. If none exists, this must be created.
The private endpoint can now be configured; this can be found directly in the PaaS resource under Network.
New PaaS service
When creating a new PaaS service, you can also create the private endpoint in the wizard.
Configuring DNS
With the configuration of the private endpoint, the PaaS resource in the VNet or subnet has now been assigned a private IP address. However, in order for the service to be accessible via the name, the DNS must be configured accordingly. There are 2 standard options for this; for more complex DNS configurations, an individual solution must be created.
Azure private DNS zone
This is the default option. This means that a private DNS zone is created in Azure when the private endpoint is deployed and this is linked to the selected VNet. This allows all hosts within this VNet to resolve the name via this DNS zone.
DNS forwarder
If a DNS server has been configured in the VNET, a DNS forwarder to Azure with the IP: 168.63.129.16 can be entered on this. This means that all queries that the DNS server cannot answer itself are forwarded to the Azure DNS server.
To ensure that access to the PaaS resource is actually switched off, this must be configured on the resource itself. This can be found under the firewall settings.
English 
German 
French