Azure Batch Security : Azure Private Link

Hello everyone, I hope you’re doing well. Azure has announced the release of the private link for Azure Batch in the West US 2, East US, South Central US, US Gov Virginia, and US Gov Arizona regions at the time of writing.

The private link for Azure will solve some security problems. The important one is the Public IP Address.

Actually, the Batch creates automatically public IP addresses (one for each 50 instances) so the Nodes (The Virtual Machines) may be accessed.

Once again, in a project where the security matters, security guys won’t appreciate the fact that we have a Public IP. Also, they won’t like the fact that the communication passes through this Public IP to schedule tasks or to communicate with the VMs (Compute nodes) !

Now that we have the Azure Private Link, we can create a Pool without Public IPs. Actually, instead of creating a public IP, Batch will create Private Links!

  • How it works with a Public IP Address :

When we create a Batch Account as we always did (before the release of the Private Link), if we scale the Pool, it will create a public IP as below :

This enables the access to the internet (as output), an example, by executing the command :

We got the following response :

  • How to create a pool without Public IPs using ARM Templates :

Since the 2020–03–01 API Version, we can specify if we want a batch pool with a Public IP or not.

The idea is to use the object publicIPAddressConfiguration as following :

I will provide an ARM template that will create :

The full ARM Template :

Note : You have to disable privateEndpointNetworkPolicies and privateLinkServiceNetworkPolicies on the subnet where the pool will be (the ARM Template above did it).

  • What does it mean :

Let’s see what it gives, let’s scale the pool :

Now let’s see the resources it creates :

Interesting … Instead of creating a public IP Address, the Batch creates a Private Link Service which contains a Private Endpoint :

In the Load Balancer, instead of referencing a public IP, it references the IP of the private Endpoint :

Since we don’t have a public IP, the compute nodes won’t have access to the internet :

We got this error :

So this is a good news to improve your Azure Batch security !