News

Microsoft Unveils Service To Keep Azure Connections Private

Azure Private Link, a new service designed to keep Azure service connections off the public Internet, is now available from Microsoft as a preview.

The service isolates connections to Azure platform-as-a-service (PaaS) products within Microsoft's private backbone network. The connection stays within an organization's virtual network, or "VNet" (see diagram):

[Click on image for larger view.] Private connection to Azure services using Azure Private Link. (Source: Microsoft's Azure product page)

It's true that organizations today can connect to Azure's multitenant services using VNet service endpoints, but the public Internet still gets used at some point. Microsoft's announcement explained that when an organization uses VNet service endpoints, "the PaaS endpoint is still served over a public IP address and therefore [is] not reachable from on-premises [environments] through Azure ExpressRoute private peering or VPN gateway."

The Azure ExpressRoute service is yet another way for organizations to have private Internet connections when connecting to Azure services, but it's typically billed as a solution for getting high-bandwidth connections. In contrast, Azure Private Link appears to be a solution for organizations that just don't want to touch the public Internet when accessing Azure services.

Partner Support
Microsoft is also touting Azure Private Link for use with "customer-owned services," as well as "partner services."  Service provider partners using Azure today can use VNet peering to establish a private connection to a customer's VNet, "but it is not scalable and will soon run into IP address conflicts," Microsoft's announcement explained. These service providers can instead run Azure Private Link behind an Azure Standard Load Balancer to create these private connections, Microsoft explained in this Azure article.

Microsoft sees Azure Private Link as something that its partners offering solutions through the Azure Marketplace likely will use in the near future. Here's how Microsoft's announcement expressed it:

The ability to consume the SaaS solutions privately within the customer's own network has been a common request. With Azure Private Link, we're extending the private connectivity experience to Microsoft partners. This is a very powerful mechanism for Microsoft partners to reach Azure customers. We're confident that a lot of future Azure Marketplace offerings will be made through Azure Private Link. 

Microsoft also is promising that Azure Private Link will simplify corporate firewall configurations. It won't require configuring "route tables and Azure Network Security Groups." It doesn't require the use of "gateways, NAT [Network Address Translation] devices, ExpressRoute or VPN connections gateways," according to an Azure product page description. It'll also work for organizations having multiple Active Directory tenancies.

Microsoft is also touting the benefit of "exfiltration protection" with Azure Private Link. For instance, Azure Private Link maps to particular PaaS resources instead of the whole service, and therefore malicious attempts to send data to a different account on the same private endpoint "will fail," Microsoft explained. Lastly, the use of "overlapping IP address space" in VNets is supported.

Preview Limitations
The preview of Azure Private Link currently just supports some Azure services right now, namely "Azure Storage, Azure Data Lake Storage Gen 2, Azure SQL Database, Azure SQL Data Warehouse and customer-owned services," according to this Azure article.

In "coming months," Microsoft plans to add Azure Private Link support for "Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, and Azure Key Vault, and Partner Services," Microsoft's announcement noted.

The preview lacks service-level agreement uptime guarantees, and shouldn't be used for production workloads, Microsoft warned in its overview document. It's also constrained right now for use in certain Azure U.S. regions, depending on whether it's used to access customer-owned resources or Azure PaaS services, as described in that document. Pricing is nonexistent right now.

If Microsoft's documentation isn't enough, Aidan Finn, a Microsoft Most Valuable Professional and Azure expert, talks about these connection options in this blog post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.