Azure Private Link

Azure Private Link is a new feature for PaaS services that allows you to create a private endpoint in your virtual network. Azure Private Link enables you to access Azure PaaS Services over a Private Endpoint in your virtual network. So, it means that the traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet.


  • A private IP for your PaaS resources
  • Traffic to PaaS resources traverses the Microsoft network.
  • Users access is restricted to the specific resource
  • Private endpoints can be created to resources in different regions to the virtual network and even different tenants

Azure Private Link enables you to access Azure PaaS Services such as:

  • Azure Storage
  • Azure Cosmos DB
  • Azure SQL Database

How does Azure Private Link work?

Below is the diagram from Microsoft Documentation:

Azure Private Link work

Azure Private Link creates an endpoint with a private IP address, so your traffic is flowing inside your Virtual Network and does not require NSG rules allowing outbound traffic beyond your virtual network.

For those of you who are wondering the difference between Private Link and Service endpoint, here is the key:

Service endpoints provide a way to lock down access to PaaS resources to a virtual network. However, you are still accessing a public endpoint. With service endpoints, you are also only locking down access to a service, not to a specific resource.

Getting Started

To set up a Private Link, first, we will create a Storage Account. Open the Azure Portal, and click “Create a Resource”:

Create a Storage Account

Enter a name, select the resource group and the location for this storage account, then click “Next

Enter a name, select the resource group

In this tab, select “Private endpoint” and click “Add” in order to create a private endpoint:

Private endpoint

A new blade appears to create a private endpoint. Enter the following information:

  • Subscription
  • Resource Group
  • Location
  • Name
  • Storage sub-resource
  • Virtual Network and Subnet: Note that NSG will be disabled for this private endpoint.
  • Private DNS Zone: You can integrate with an Azure Private DNS zone. This will allow you to resolve the address of the resource (see below), to its private IP.

Сreate a private endpoint

Click “OK” and confirm that your private endpoint is visible:

Click “OK” and confirm

You can validate the wizard

Validate the wizard

In this guide, I created the private link from the storage account wizard, but you also can create the private link from the Azure Portal, especially if you want to create a private link for other PaaS resources:

Azure Portal

Now, we can test the private link. Copy the connection string for the storage account previously created:

Copy the connection string

Start a Virtual Machine located in the same Virtual Network and run the following command:

Start a Virtual Machine

The output should display a private IP Address for the storage account. Now, I will download Azure Storage Explorer in order to test the connection using the private IP address.

Azure Storage Explorer Setup Azure Explorer

Open Azure Storage Explorer from the Virtual Machine and paste the connection string that you copied previously:

Open Azure Storage Attach with Connection Stfing

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

The connection should be in success and you should see the content of your Azure Storage Account:

Azure Storage Account


Thanks to the Azure Private Link, we can easily reduce the exposure of your PaaS services to the internet and secure the traffic between your network and Azure.

Back to blog