News

Microsoft Unveils Service To Keep Azure Connections Private

• By Kurt Mackie
• September 18, 2019

Azure Private Link, a new service designed to keep Azure service connections off the public Internet, is now available from Microsoft as a preview.

The service isolates connections to Azure platform-as-a-service (PaaS) products within Microsoft's private backbone network. The connection stays within an organization's virtual network, or "VNet" (see diagram):

It's true that organizations today can connect to Azure's multitenant services using VNet service endpoints, but the public Internet still gets used at some point. Microsoft's announcement explained that when an organization uses VNet service endpoints, "the PaaS endpoint is still served over a public IP address and therefore [is] not reachable from on-premises [environments] through Azure ExpressRoute private peering or VPN gateway."

The Azure ExpressRoute service is yet another way for organizations to have private Internet connections when connecting to Azure services, but it's typically billed as a solution for getting high-bandwidth connections. In contrast, Azure Private Link appears to be a solution for organizations that just don't want to touch the public Internet when accessing Azure services.

Partner Support
Microsoft is also touting Azure Private Link for use with "customer-owned services," as well as "partner services."  Service provider partners using Azure today can use VNet peering to establish a private connection to a customer's VNet, "but it is not scalable and will soon run into IP address conflicts," Microsoft's announcement explained. These service providers can instead run Azure Private Link behind an Azure Standard Load Balancer to create these private connections, Microsoft explained in this Azure article.

Microsoft sees Azure Private Link as something that its partners offering solutions through the Azure Marketplace likely will use in the near future. Here's how Microsoft's announcement expressed it:

The ability to consume the SaaS solutions privately within the customer's own network has been a common request. With Azure Private Link, we're extending the private connectivity experience to Microsoft partners. This is a very powerful mechanism for Microsoft partners to reach Azure customers. We're confident that a lot of future Azure Marketplace offerings will be made through Azure Private Link. 

Microsoft also is promising that Azure Private Link will simplify corporate firewall configurations. It won't require configuring "route tables and Azure Network Security Groups." It doesn't require the use of "gateways, NAT [Network Address Translation] devices, ExpressRoute or VPN connections gateways," according to an Azure product page description. It'll also work for organizations having multiple Active Directory tenancies.

Microsoft is also touting the benefit of "exfiltration protection" with Azure Private Link. For instance, Azure Private Link maps to particular PaaS resources instead of the whole service, and therefore malicious attempts to send data to a different account on the same private endpoint "will fail," Microsoft explained. Lastly, the use of "overlapping IP address space" in VNets is supported.

Preview Limitations
The preview of Azure Private Link currently just supports some Azure services right now, namely "Azure Storage, Azure Data Lake Storage Gen 2, Azure SQL Database, Azure SQL Data Warehouse and customer-owned services," according to this Azure article.

In "coming months," Microsoft plans to add Azure Private Link support for "Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, and Azure Key Vault, and Partner Services," Microsoft's announcement noted.

The preview lacks service-level agreement uptime guarantees, and shouldn't be used for production workloads, Microsoft warned in its overview document. It's also constrained right now for use in certain Azure U.S. regions, depending on whether it's used to access customer-owned resources or Azure PaaS services, as described in that document. Pricing is nonexistent right now.

If Microsoft's documentation isn't enough, Aidan Finn, a Microsoft Most Valuable Professional and Azure expert, talks about these connection options in this blog post.