This document provides supplementary resources for the Azure Private Link session presented at the Microsoft Azure Community User Group on April 14, 2025.
- Mastering Azure Private Link: Secure and Private Access to Your Services
- Network Topology Reference
- Table of Contents
- Introduction to Azure Private Link
- Private Link vs. Service Endpoints
- Private Link Service Availability
- DNS Integration with Private Link
- Security, Compliance & Access Control
- Implementing Private Link: Architectures & Patterns
- Bicep Architecture for Private Link Demo
- Further Learning & Reference
- Optional Related Azure Networking Concepts
- Tim's Contact Information
Start here to grasp the fundamental concepts and components.
- What is Azure Private Link? - Core concepts and benefits.
- What is a private endpoint? - Understanding the client-side component.
- What is Azure Private Link service? - Understanding the service provider side.
- Azure Private Link Product Page - High-level features and use cases.
Understand the differences between the two primary methods for securing access to Azure services.
- Azure Private Endpoint vs. Service Endpoint: A Comprehensive Guide (Tech Community) - Detailed comparison of the two approaches.
- Service Endpoints vs Private Endpoints (Tech Community) - Discusses use cases and differences.
See which Azure services support Private Link.
- Azure Private Link Availability - Official list of Azure PaaS services and Marketplace services supporting Private Link.
DNS resolution is critical for Private Link to function correctly, especially in hybrid scenarios.
- Azure Private Endpoint DNS configuration - How Private Endpoints integrate with Azure Private DNS zones.
- What is an Azure Private DNS zone? - Understanding Private DNS Zones.
- What is Azure DNS Private Resolver? - Service for querying private zones from on-premises and vice-versa.
- Azure DNS Private Resolver endpoints and rulesets - Components of the Private Resolver.
- Private Link and DNS Integration at Scale (Cloud Adoption Framework) - Official guidance on integrating Private Link with DNS within CAF.
Understand the security model and compliance implications of Private Link.
- Private Link Security - Core security concepts and best practices.
- Private Link Service Provider - How to expose your service securely.
- Private Link Consumer - How to consume services securely.
- Private Link Approval Flow - Understanding the approval process between service providers and consumers.
- Compliance Documentation - How Private Link helps meet various compliance requirements.
- Network Security Groups with Private Link - How NSGs interact with Private Endpoints.
- Private Link Service Alerts - Monitoring and alerting for security events.
Explore how Private Link is used in common architectures and managed at scale.
- Cloud Adoption Framework (CAF):
- Effortless Private Endpoint Management in Azure Landing Zones (Tech Community) - Blog post discussing management approaches within CAF Landing Zones.
- Demo Architecture:
- Azure Sample: How to call a workload in AKS via Private Link, Application Gateway, and AGIC - GitHub repository with a reference architecture for AKS, App Gateway, and Private Link.
The demo uses a modular Bicep architecture to deploy a complete Private Link environment. Below is a diagram showing the relationships between the Bicep modules:
graph TD
%% Main entry point
A[private-link-demo.bicep] --> B[network.bicep]
A --> C[storage.bicep]
A --> D[keyvault.bicep]
A --> E[compute.bicep]
A --> F[monitoring.bicep]
A --> G[dns-zones.bicep]
A --> H[private-link-service.bicep]
A --> I[private-endpoint.bicep]
A --> J[diagnostics.bicep]
%% Dependencies between modules
H --> C
H --> B
I --> H
I --> G
I --> B
E --> B
E --> D
J --> F
%% Subgraph for network components
subgraph Network
B
end
%% Subgraph for storage components
subgraph Storage
C
H
end
%% Subgraph for key vault components
subgraph KeyVault
D
end
%% Subgraph for compute components
subgraph Compute
E
end
%% Subgraph for monitoring components
subgraph Monitoring
F
J
end
%% Subgraph for DNS components
subgraph DNS
G
end
%% Subgraph for private endpoint components
subgraph PrivateEndpoints
I
end
%% Styling
classDef entryPoint fill:#f9f,stroke:#333,stroke-width:2px;
class A entryPoint;
- Entry Point:
private-link-demo.biceporchestrates the deployment of all other modules. - Core Infrastructure: Network, storage, key vault, compute, and monitoring modules.
- Private Link Components: DNS zones, private link service, and private endpoints.
- Diagnostics: Configures diagnostic settings for all resources.
- Mermaid.js Documentation - Official documentation for creating diagrams with Mermaid.
- Mermaid Live Editor - Online editor for creating and testing Mermaid diagrams.
- MermaidChart - Cloud-based platform for creating, sharing, and collaborating on Mermaid diagrams.
- VS Code Mermaid Extension - Extension for previewing Mermaid diagrams in VS Code.
Dive deeper with official documentation, training, and FAQs.
- Private Link Documentation Hub - The main portal for documentation, quickstarts, how-to guides, and API references.
- MS Learn: Introduction to Azure Private Link - Foundational module covering Private Link, Endpoints, and Service.
- MS Learn: Design and implement private access to Azure Services - Broader module including Private Endpoints, Service Endpoints, and DNS integration.
- Azure Private Link Pricing
- Azure Private Link FAQ
Background context on underlying Azure network services and hybrid connectivity.
- Azure Platform Communication:
- What is IP address 168.63.129.16? - Explains the role of this virtual public IP for platform communication and DNS.
- Hybrid Connectivity:
- VPN Gateway Documentation Hub - Main portal for VPN Gateway documentation.
- About Azure VPN Gateway - Overview of capabilities (Site-to-Site, Point-to-Site, VNet-to-VNet).
- ExpressRoute Documentation Hub - Main portal for ExpressRoute documentation.
- ExpressRoute Overview - Technical introduction to dedicated private connections.