Private endpoints in Azure enable a secure connection to Azure services within a virtual network (VNet) via an internal IP address. This means that these services can only be accessed via the VNet, which increases security. They support numerous Azure services and can be configured via the network settings.
Private endpoints in Azure
Private endpoints in Azure enable a secure connection to Azure services within a virtual network (VNet) via an internal IP address. This means that these services can only be accessed via the VNet, which increases security. They support numerous Azure services and can be configured via the network settings.
A private endpoint in Azure is a network interface that connects you privately and securely to a service operated by Azure Private Link. The private endpoint uses a private IP address in your VNet and effectively integrates the service into your VNet. This can be an Azure service such as Azure Storage, Azure Cosmos DB, SQL etc. or your own Private Link service.
Why use private endpoints?
If you provide a PaaS service on Azure, it is automatically assigned a public DNS name and also a public IP, which is generally accessible to everyone on the Internet.
With private endpoints, you also receive an internal IP in the VNet for the PaaS services in addition to the external IP. This means that additional firewall rules can be used to prevent the PaaS service from being accessible on the Internet. The service is therefore only accessible via the internal, self-managed VNET, which serves to increase security by significantly reducing the attack surface.
For which services are private endpoints available?
Private endpoints can currently be used for the following Azure PaaS services:
Private link service (your own service)
Azure Automation
Azure SQL database
Azure Synapse Analytics
Azure Storage
Azure Data Lake Storage Gen2
Azure Cosmos DB
Azure Database for PostgreSQL
Azure Database for MySQL
Azure Database for MariaDB
Azure IoT Hub
Azure Key Vault
Azure Kubernetes Service
Azure Search
Azure Container Registry
Azure App Configuration
Azure Backup
Azure Event Hub
Azure Service Bus
Azure Relay
Azure Event Grid
Azure App Service
Azure Machine Learning
SignalR
Azure Monitor
Cognitive Services
Azure File Sync
What is the difference between private endpoints and service endpoints?
Like private endpoints, service endpoints also provide the option of accessing PaaS resources only from certain VNETs. The difference, however, is that the PaaS services do not have the endpoints within a VNET, whereas with private endpoints you receive an IP within the VNET.
Configuration - Creating a service endpoint
Existing PaaS service
A VNet and a subnet must exist so that the existing PaaS resource can be integrated into a virtual network in Azure. If none exists, this must be created.
The private endpoint can now be configured; this can be found directly in the PaaS resource under Network.
New PaaS service
When creating a new PaaS service, you can also create the private endpoint in the wizard.
Configuring DNS
With the configuration of the private endpoint, the PaaS resource in the VNet or subnet has now been assigned a private IP address. However, in order for the service to be accessible via the name, the DNS must be configured accordingly. There are 2 standard options for this; for more complex DNS configurations, an individual solution must be created.
Azure private DNS zone
This is the default option. This means that a private DNS zone is created in Azure when the private endpoint is deployed and this is linked to the selected VNet. This allows all hosts within this VNet to resolve the name via this DNS zone.
DNS forwarder
If a DNS server has been configured in the VNET, a DNS forwarder to Azure with the IP: 168.63.129.16 can be entered on this. This means that all queries that the DNS server cannot answer itself are forwarded to the Azure DNS server.
Setup Design
Switching off Internet access (firewall configuration)
To ensure that access to the PaaS resource is actually switched off, this must be configured on the resource itself. This can be found under the firewall settings.
English 
German 
French