Extend Azure PaaS Resources to Your Network Using Azure Private Link
Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Source:-infoq.com
In a recent blog post, Microsoft announced a new preview service, called Azure Private Link, which provides organizations the ability to connect to Azure Platform as a Service (PaaS) offerings, or their own services, using a private IP address. Azure Private Link connections travel over Microsoft’s backbone network and avoid exposure from the public internet. In the current preview offering, customers can use Azure Private Link to connect to a subset of Microsoft PaaS offerings including Azure Storage and Azure SQL Database.
Yousef Khalidi, corporate vice president, Azure Networking, explains the benefits of using Azure Private Link:
Azure Private Link brings Azure services inside the customer’s private VNet. The service resources can be accessed using the private IP address just like any other resource in the VNet. This significantly simplifies the network configuration by keeping access rules private.
Azure Private Link uses a provider/consumer model where the provider and consumer endpoints are both hosted in Azure. Connections are established between the provider and consumer using a consent-based call flow. Once the connection is established, all traffic traverses Microsoft’s private network and is isolated from the public internet. Connections that are established over Azure Private Link do not require gateways, network address translation (NATs) or public IP addresses.
Customers and partners can also use Azure Private Link to connect their own services to Azure, eliminating the need to make connections over a public interface. Azure Private Link addresses concerns that organizations have with establishing fixed connections with trading partners and having them exposed over the internet. Alternatively, organizations can federate with each other using VNet peering, but that doesn’t scale well. Khalidi feels that Azure Private Link provides a better alternative:
Using Azure Private Link, you can run your service completely private in your own VNet behind an Azure Standard Load Balancer, enable it for Azure Private Link, and allow it to be accessed by consumers running in different VNet, subscription, or Azure Active Directory (AD) tenant all using simple clicks and approval call flow. As a service consumer all you will have to do is create a private endpoint in your own VNet and consume the Azure Private Link service completely private without opening your access control lists (ACLs) to any public IP address space.
Azure Private Link also provides protection for data exfiltration by mapping a PaaS resource to a private IP address. This is something that other public cloud providers do not do. Instead of outbound PaaS traffic moving through the public internet, it will be mapped to a private IP Address via Azure Private Link which allows organizations to apply network governance and prevent unauthorized access to external resources that conflict with an organization’s internal policies.
Another benefit that Azure Private Link provides is enabling organizations to use their network address space more effectively and avoiding IP address conflicts, since Azure Private Link can broker these connections across multiple VNets.
Image source
Since Azure Private Link is currently in preview, a limited number of regions and services are currently supported, including Azure SQL Database and Azure Storage. Microsoft has plans to support Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, Azure Key Vault and others in coming months.