Automate Azure Private Link using ARM Templates

Hello everyone, Happy Halloween, happy MS Ignite ! Today I will share with you a way to automate Azure Private Link using the ARM Templates.

Before talking automation, let’s talk about Azure Private Link and why a lot of companies are waiting for it.

Until now, some Azure PaaS Services (Such as Azure Storage Account, Azure SQL DB …) expose a public IP Address which allows customers to establish connection with them. The only way to secure these services was to enable a Service Endpoint to restrict the access to these Azure PaaS Services. However, theses services stay reachable using a Public IP Address.

How ? well, Azure uses Software-Defined Networking (SDN) for the internal operations. But when it comes to the communication from outside. Azure uses mainly Internet. So the idea is to put in place Virtual Networks so we can run on the Azure Backbone. By enabling Service Endpoint, your traffic pass via Microsoft network backbone. This does not mean you bring your Azure PaaS services to a VNet, it just remains the traffic on the Microsoft network backbone. But as I told you, the services still have a public IP Address.

By enabling the service endpoint :

Only the subnet “default” inside the VNET “testVnet” and trusted MS services will have access:

Wait wait, “Enterprise Private Network” does not have access ? Unfortunately no, as I told you, The Azure PaaS services expose a public IP so an internal private network won’t have direct access using a private Express Route or a Site-To-Site VPN.

How can we solve that ? how can we provide to these Azure PaaS Services a private endpoint so that the Enterprise Private Network can have a secure access ?

The Azure Private Link will allow customers to reach Azure Services via a private connection without any internet requirement. Your services will have private internal IP so the clients may access using a Site-To-Site VPN or Private ER.

Sam Cogan talks about Azure Private Link and gives everything you need to know about it.

Link : https://samcogan.com/wth-is-azure-private-link/

Let’s talk now about the automation, and how can we create an Azure PaaS resource associated to Azure Private Link.

First of all, we need the Azure PaaS resource. I will deploy a Storage Account (which can be associated to a private link). The following ARM Template creates a Storage Account :

Then, of course, we need a Virtual Network so that the private link can get an Address IP.

Now, we can talk Private Link :D . Using the ARM Template Below, you will be able to create a private link inside a referenced subnet and associated to an Azure PaaS Resource :

Now, if you have your own DNS Servers, you may integrate the Private Link endpoint to an Azure DNS :

Then !

All the resources will be created and :

Bella Ciao !