Microsoft Unveils Service To Keep Azure Connections Private

Azure Private Link, a new service designed to keep Azure service connections off the public Internet, is now available from Microsoft as a preview.

The service isolates connections to Azure platform-as-a-service (PaaS) products within Microsoft's private backbone network. The connection stays within an organization's virtual network, or "VNet" (see diagram):

[Click on image for larger view.] Private connection to Azure services using Azure Private Link. (Source: Microsoft's Azure product page)

It's true that organizations today can connect to Azure's multitenant services using VNet service endpoints, but the public Internet still gets used at some point. Microsoft's announcement explained that when an organization uses VNet service endpoints, "the PaaS endpoint is still served over a public IP address and therefore [is] not reachable from on-premises [environments] through Azure ExpressRoute private peering or VPN gateway."

The Azure ExpressRoute service is yet another way for organizations to have private Internet connections when connecting to Azure services, but it's typically billed as a solution for getting high-bandwidth connections. In contrast, Azure Private Link appears to be a solution for organizations that just don't want to touch the public Internet when accessing Azure services.

Partner Support
Microsoft is also touting Azure Private Link for use with "customer-owned services," as well as "partner services."  Service provider partners using Azure today can use VNet peering to establish a private connection to a customer's VNet, "but it is not scalable and will soon run into IP address conflicts," Microsoft's announcement explained. These service providers can instead run Azure Private Link behind an Azure Standard Load Balancer to create these private connections, Microsoft explained in this Azure article.

Microsoft sees Azure Private Link as something that its partners offering solutions through the Azure Marketplace likely will use in the near future. Here's how Microsoft's announcement expressed it:

The ability to consume the SaaS solutions privately within the customer's own network has been a common request. With Azure Private Link, we're extending the private connectivity experience to Microsoft partners. This is a very powerful mechanism for Microsoft partners to reach Azure customers. We're confident that a lot of future Azure Marketplace offerings will be made through Azure Private Link. 

Microsoft also is promising that Azure Private Link will simplify corporate firewall configurations. It won't require configuring "route tables and Azure Network Security Groups." It doesn't require the use of "gateways, NAT [Network Address Translation] devices, ExpressRoute or VPN connections gateways," according to an Azure product page description. It'll also work for organizations having multiple Active Directory tenancies.

Microsoft is also touting the benefit of "exfiltration protection" with Azure Private Link. For instance, Azure Private Link maps to particular PaaS resources instead of the whole service, and therefore malicious attempts to send data to a different account on the same private endpoint "will fail," Microsoft explained. Lastly, the use of "overlapping IP address space" in VNets is supported.

Preview Limitations
The preview of Azure Private Link currently just supports some Azure services right now, namely "Azure Storage, Azure Data Lake Storage Gen 2, Azure SQL Database, Azure SQL Data Warehouse and customer-owned services," according to this Azure article.

In "coming months," Microsoft plans to add Azure Private Link support for "Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, and Azure Key Vault, and Partner Services," Microsoft's announcement noted.

The preview lacks service-level agreement uptime guarantees, and shouldn't be used for production workloads, Microsoft warned in its overview document. It's also constrained right now for use in certain Azure U.S. regions, depending on whether it's used to access customer-owned resources or Azure PaaS services, as described in that document. Pricing is nonexistent right now.

If Microsoft's documentation isn't enough, Aidan Finn, a Microsoft Most Valuable Professional and Azure expert, talks about these connection options in this blog post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Touting Azure for Operators, Microsoft Joins SDN Standards Group

    As part of its Azure for Operators program, Microsoft this week joined a nonprofit standards association that focuses on SDN technologies used by enterprises and service providers.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Pilot Begins of Microsoft Teams-Salesforce CRM Integration

    A new capability that lets Microsoft Teams users access information from the customer relationship management (CRM) platform debuted this week.