News

Microsoft Unveils Service To Keep Azure Connections Private

Azure Private Link, a new service designed to keep Azure service connections off the public Internet, is now available from Microsoft as a preview.

The service isolates connections to Azure platform-as-a-service (PaaS) products within Microsoft's private backbone network. The connection stays within an organization's virtual network, or "VNet" (see diagram):

[Click on image for larger view.] Private connection to Azure services using Azure Private Link. (Source: Microsoft's Azure product page)

It's true that organizations today can connect to Azure's multitenant services using VNet service endpoints, but the public Internet still gets used at some point. Microsoft's announcement explained that when an organization uses VNet service endpoints, "the PaaS endpoint is still served over a public IP address and therefore [is] not reachable from on-premises [environments] through Azure ExpressRoute private peering or VPN gateway."

The Azure ExpressRoute service is yet another way for organizations to have private Internet connections when connecting to Azure services, but it's typically billed as a solution for getting high-bandwidth connections. In contrast, Azure Private Link appears to be a solution for organizations that just don't want to touch the public Internet when accessing Azure services.

Partner Support
Microsoft is also touting Azure Private Link for use with "customer-owned services," as well as "partner services."  Service provider partners using Azure today can use VNet peering to establish a private connection to a customer's VNet, "but it is not scalable and will soon run into IP address conflicts," Microsoft's announcement explained. These service providers can instead run Azure Private Link behind an Azure Standard Load Balancer to create these private connections, Microsoft explained in this Azure article.

Microsoft sees Azure Private Link as something that its partners offering solutions through the Azure Marketplace likely will use in the near future. Here's how Microsoft's announcement expressed it:

The ability to consume the SaaS solutions privately within the customer's own network has been a common request. With Azure Private Link, we're extending the private connectivity experience to Microsoft partners. This is a very powerful mechanism for Microsoft partners to reach Azure customers. We're confident that a lot of future Azure Marketplace offerings will be made through Azure Private Link. 

Microsoft also is promising that Azure Private Link will simplify corporate firewall configurations. It won't require configuring "route tables and Azure Network Security Groups." It doesn't require the use of "gateways, NAT [Network Address Translation] devices, ExpressRoute or VPN connections gateways," according to an Azure product page description. It'll also work for organizations having multiple Active Directory tenancies.

Microsoft is also touting the benefit of "exfiltration protection" with Azure Private Link. For instance, Azure Private Link maps to particular PaaS resources instead of the whole service, and therefore malicious attempts to send data to a different account on the same private endpoint "will fail," Microsoft explained. Lastly, the use of "overlapping IP address space" in VNets is supported.

Preview Limitations
The preview of Azure Private Link currently just supports some Azure services right now, namely "Azure Storage, Azure Data Lake Storage Gen 2, Azure SQL Database, Azure SQL Data Warehouse and customer-owned services," according to this Azure article.

In "coming months," Microsoft plans to add Azure Private Link support for "Azure Cosmos DB, Azure MySQL, Azure PostgreSQL, Azure MariaDB, Azure Application Service, and Azure Key Vault, and Partner Services," Microsoft's announcement noted.

The preview lacks service-level agreement uptime guarantees, and shouldn't be used for production workloads, Microsoft warned in its overview document. It's also constrained right now for use in certain Azure U.S. regions, depending on whether it's used to access customer-owned resources or Azure PaaS services, as described in that document. Pricing is nonexistent right now.

If Microsoft's documentation isn't enough, Aidan Finn, a Microsoft Most Valuable Professional and Azure expert, talks about these connection options in this blog post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Nebula

    Ahead of AGI, Microsoft and OpenAI Redefine Their Partnership

    In a recapitalization announced Tuesday, OpenAI has launched a new public benefit corporation (PBC) called OpenAI Group, giving Microsoft a 27 percent ownership stake valued at approximately $135 billion.

  • Veeam Acquires Securiti AI To Unify Data Resilience and AI Security

    Veeam Software is making a strategic move into AI and data security by acquiring Securiti AI for $1.7 billion.

  • Microsoft Adds 'Mico' Virtual Assistant to Copilot in Major Fall Update

    In a significant feature update, Microsoft on Thursday said it is reshaping its Copilot AI platform with features that deepen user personalization and enable real-time group collaboration, among other perks.

  • Nutanix Partner Central Rolls Out To Boost Channel Engagement

    Nutanix on Wednesday launched a new platform, Partner Central, to give its channel partners a unified digital workspace for managing sales, tracking incentives and collaborating more effectively.

Most   Popular