Private Endpoints + Private Link: Locking Down PaaS

Private Endpoints, in one module

Private Endpoint anatomy

A Private Endpoint object has:

• A target resource — the specific Azure resource (storage account, Key Vault, etc.) being privately exposed
• A sub-resource — for services that have multiple data planes (storage: blob/file/queue/table/web/dfs; SQL: sqlServer for DB, managedInstance for MI)
• A NIC with a private IP in a customer subnet
• An approval state — Pending, Approved, Rejected — controlling whether the PE is live

The PE is functionally a NIC-level reverse-NAT to the Azure backbone target.

DNS — the half-step that breaks deployments

For Private Endpoints to work, DNS resolution of the public hostname must return the private IP. Standard pattern:

1. Create the private DNS zone matching the service (e.g. privatelink.blob.core.windows.net).
2. Link the zone to the consumer VNet (and any peered VNets that need to resolve).
3. The PE deployment auto-creates an A record in the zone for the resource’s hostname pointing to the PE’s private IP.

When this is missing, the consumer VNet resolves the hostname to the public IP and bypasses the PE — defeating the purpose. The SC-500 trap question pattern: “PE is created but traffic still goes to the public endpoint” → answer: missing or incorrect private DNS zone link.

Private Link Service (publisher side)

If your app is behind an internal Standard Load Balancer in YOUR VNet, you can publish it via a Private Link Service. Consumers (other Azure tenants, other VNets in your tenant) create Private Endpoints targeting your PLS, and connect privately over the backbone.

Approval workflow

When a consumer creates a PE targeting a PLS, the connection is Pending by default. The PLS owner:

• Manually Approves or Rejects the connection
• Or configures auto-approval by consumer subscription ID

Disconnection is bidirectional — either side can disconnect.

Service endpoints — the older sibling (briefly)

VNet Service endpoints (Microsoft.Storage, Microsoft.Sql, etc.) are the older mechanism — they route traffic from the subnet to the service over Microsoft’s network and let the service firewall allowlist the subnet. They’re simpler to set up but don’t give a private IP to the PaaS resource and don’t fully take the resource off the internet (the service’s public endpoint remains addressable from elsewhere). For SC-500, Private Endpoints are preferred over Service Endpoints for new deployments.

💡 When Private Endpoint vs Service Endpoint

Private Endpoint is the modern default — service is given a private IP in your VNet, public access can be disabled, traffic stays on the backbone, full network isolation possible.

Service Endpoint is older — service stays on its public endpoint; traffic from your VNet routes over the backbone via the service endpoint; the service firewall can allowlist your subnet. Service still publicly addressable, but your VNet’s egress is on the backbone.

SC-500 prefers Private Endpoint in nearly every modern scenario. Service Endpoint shows up in ‘legacy compatibility’ or ‘cost-sensitive simple lockdown’ answers.

Scenario: Ravi locks down Maple Genomics’ data services

Ravi’s data plane uses Storage (blob, file), Key Vault, Cosmos DB, and Azure SQL. He wants all of it off the internet.

1. Storage account — disable public network access; create PE for blob and file sub-resources in the data VNet; private DNS zone privatelink.blob.core.windows.net + privatelink.file.core.windows.net linked to the VNet.
2. Key Vault — disable public access; PE in the same VNet; privatelink.vaultcore.azure.net linked.
3. Cosmos DB — disable public access; PE for Sql API; privatelink.documents.azure.com linked.
4. Azure SQL Managed Instance — disable public access; PE for managedInstance sub-resource; privatelink.<dnssuffix>.database.windows.net linked.
5. VNet peering — peer the data VNet with the app VNet so App Services (which have VNet integration) can reach the PEs.
6. NSG outbound rules — restrict App Service outbound to the data VNet CIDR; deny Internet outbound by default for the application tier.

Result: every PaaS data service has zero public exposure; app talks to data over private IPs via private DNS; backbone-only traffic.

Key terms

Question

What is an Azure Private Endpoint?

Click or press Enter to reveal answer

Answer

A NIC with a private IP in a customer subnet, mapped to a specific Azure PaaS resource (storage account, Key Vault, SQL, etc.) and optional sub-resource (e.g. `blob` on a storage account). Traffic from the VNet to the PE travels Microsoft's backbone, not the internet. Requires private DNS so the resource's public hostname resolves to the PE's private IP.

Click to flip back

Question

What is a Private Link Service?

Click or press Enter to reveal answer

Answer

A way for you (the publisher) to expose your own service — behind a Standard Load Balancer — privately to consumer tenants or VNets. Consumers create Private Endpoints targeting your Private Link Service; you approve connections (or auto-approve by subscription). The publisher side of Azure Private Link, vs the consumer-side Private Endpoint.

Click to flip back

Question

Why is private DNS critical for Private Endpoints?

Click or press Enter to reveal answer

Answer

The consumer must resolve the service's public hostname (e.g. `mystorage.blob.core.windows.net`) to the Private Endpoint's PRIVATE IP — otherwise the consumer connects to the public endpoint, bypassing the PE. Standard pattern: Azure-managed private DNS zone (`privatelink.<service>.<suffix>`) linked to the consumer VNet; PE deployment auto-creates A records mapping the hostname to the PE's IP.

Click to flip back

Question

What's the difference between a Private Endpoint and a VNet Service Endpoint?

Click or press Enter to reveal answer

Answer

Private Endpoint: gives the PaaS service a private IP in your VNet; public endpoint can be disabled; traffic stays on the backbone; full network isolation. Service Endpoint: routes traffic from your subnet to the service over the backbone via `Microsoft.<service>` and lets the service firewall allowlist your subnet — but the service's public endpoint remains addressable. Private Endpoint is the SC-500 preferred default.

Click to flip back

Question

What does it look like when a Private Endpoint is created but private DNS isn't configured?

Click or press Enter to reveal answer

Answer

The consumer resolves the service's public hostname to the public IP and bypasses the PE entirely — defeating the purpose. Often manifests as 'PE shows Approved/Healthy but traffic still going to public endpoint'. Fix: create the matching `privatelink.<service>.<suffix>` private DNS zone, link to consumer VNets, ensure PE A records are present.

Click to flip back

Knowledge check

Knowledge Check

Esme at Northwind Bank disables public network access on the bank's Azure SQL Managed Instance and creates a Private Endpoint in the banking VNet. Applications in the VNet now report 'cannot connect — DNS resolution failure'. What's the most likely cause?

AThe Private Endpoint is in a different regionBThe matching `privatelink.<dnssuffix>.database.windows.net` private DNS zone is not linked to the consumer VNet, so resolution still returns the public IP (which now refuses connection)CThe PE NIC has no public IPDDefender for SQL is blocking the connection

Check Answer

Knowledge Check

Ravi at Maple Genomics is building a SaaS product that needs to be reachable by customer Azure tenants privately — no public internet exposure to those customers. Which capability fits?

ACustomer creates a Private Endpoint targeting Ravi's published Private Link Service (behind a Standard Load Balancer)BRavi configures Site-to-Site VPN with each customerCRavi publishes the service on Application Gateway with WAFDCustomer connects via ExpressRoute global reach

Check Answer

What’s next

Next module: Azure Firewall + Network Watcher — L4-L7 traffic inspection at the network boundary and effective security rule diagnostics.