Quickstart: Create a private endpoint by using Azure PowerShell

Je li ova stranica od pomoći?

Imate dodatne povratne informacije?

Povratne informacije će biti poslane kompaniji Microsoft: pritiskom na dugme za slanje, vaše povratne informacije će se koristiti za unapređivanje proizvoda i usluga kompanije Microsoft. Pravila privatnosti.

Get started with Azure Private Link by using a private endpoint to connect securely to an Azure web app.

In this quickstart, you'll create a private endpoint for an Azure web app and then create and deploy a virtual machine (VM) to test the private connection.

You can create private endpoints for a variety of Azure services, such as Azure SQL and Azure Storage.

Prerequisites

• An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.

• An Azure web app with a PremiumV2-tier or higher app service plan, deployed in your Azure subscription.

  For more information and an example, see Quickstart: Create an ASP.NET Core web app in Azure.

  For a detailed tutorial on creating a web app and an endpoint, see Tutorial: Connect to a web app by using a private endpoint.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install the Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create a resource group

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

New-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg' -Location 'eastus'

Create a virtual network and bastion host

First, you'll create a virtual network, subnet, and bastion host.

You'll use the bastion host to connect securely to the VM for testing the private endpoint.

1. Create a virtual network and bastion host with:

   • New-AzVirtualNetwork
   • New-AzPublicIpAddress
   • New-AzBastion

2. Configure the back-end subnet.

   $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24
   

3. Create the Azure Bastion subnet:

   $bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24
   

4. Create the virtual network:

   $parameters1 = @{
       Name = 'MyVNet'
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Location = 'eastus'
       AddressPrefix = '10.0.0.0/16'
       Subnet = $subnetConfig, $bastsubnetConfig
   }
   $vnet = New-AzVirtualNetwork @parameters1
   

5. Create the public IP address for the bastion host:

   $parameters2 = @{
       Name = 'myBastionIP'
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Location = 'eastus'
       Sku = 'Standard'
       AllocationMethod = 'Static'
   }
   $publicip = New-AzPublicIpAddress @parameters2
   

6. Create the bastion host:

   $parameters3 = @{
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Name = 'myBastion'
       PublicIpAddress = $publicip
       VirtualNetwork = $vnet
   }
   New-AzBastion @parameters3
   

It can take a few minutes for the Azure Bastion host to deploy.

Create a test virtual machine

Next, create a VM that you can use to test the private endpoint.

1. Create the VM by using:

   • Get-Credential
   • New-AzNetworkInterface
   • New-AzVM
   • New-AzVMConfig
   • Set-AzVMOperatingSystem
   • Set-AzVMSourceImage
   • Add-AzVMNetworkInterface

2. Get the server admin credentials and password:

   $cred = Get-Credential
   

3. Get the virtual network configuration:

   $vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg
   

4. Create a network interface for the VM:

   $parameters1 = @{
       Name = 'myNicVM'
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Location = 'eastus'
       Subnet = $vnet.Subnets[0]
   }
   $nicVM = New-AzNetworkInterface @parameters1
   

5. Configure the VM:

   $parameters2 = @{
       VMName = 'myVM'
       VMSize = 'Standard_DS1_v2'
   }
   $parameters3 = @{
       ComputerName = 'myVM'
       Credential = $cred
   }
   $parameters4 = @{
       PublisherName = 'MicrosoftWindowsServer'
       Offer = 'WindowsServer'
       Skus = '2019-Datacenter'
       Version = 'latest'
   }
   $vmConfig = 
   New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicVM.Id
   

6. Create the VM:

   New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig
   

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

For more information, see Default outbound access in Azure.

The default outbound access IP is disabled when either a public IP address is assigned to the VM or the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules. If an Azure Virtual Network network address translation (NAT) gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is disabled.

VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Use source network address translation (SNAT) for outbound connections.

Create a private endpoint

1. Create a private endpoint and connection by using:

   • New-AzPrivateLinkServiceConnection
   • New-AzPrivateEndpoint

2. Place the web app into a variable. Replace <webapp-resource-group-name> with the resource group name of your web app, and replace <your-webapp-name> with your web app name.

   $webapp = Get-AzWebApp -ResourceGroupName <webapp-resource-group-name> -Name <your-webapp-name>
   

3. Create the private endpoint connection:

   $parameters1 = @{
       Name = 'myConnection'
       PrivateLinkServiceId = $webapp.ID
       GroupID = 'sites'
   }
   $privateEndpointConnection = New-AzPrivateLinkServiceConnection @parameters1
   

4. Place the virtual network into a variable:

   $vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'
   

5. Disable the private endpoint network policy:

   $vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"
   $vnet | Set-AzVirtualNetwork
   

6. Create the private endpoint:

   $parameters2 = @{
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Name = 'myPrivateEndpoint'
       Location = 'eastus'
       Subnet = $vnet.Subnets[0]
       PrivateLinkServiceConnection = $privateEndpointConnection
   }
   New-AzPrivateEndpoint @parameters2
   

Configure the private DNS zone

1. Create and configure the private DNS zone by using:

   • New-AzPrivateDnsZone
   • New-AzPrivateDnsVirtualNetworkLink
   • New-AzPrivateDnsZoneConfig
   • New-AzPrivateDnsZoneGroup

2. Place the virtual network into a variable:

   $vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'
   

3. Create the private DNS zone:

   $parameters1 = @{
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       Name = 'privatelink.azurewebsites.net'
   }
   $zone = New-AzPrivateDnsZone @parameters1
   

4. Create a DNS network link:

   $parameters2 = @{
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       ZoneName = 'privatelink.azurewebsites.net'
       Name = 'myLink'
       VirtualNetworkId = $vnet.Id
   }
   $link = New-AzPrivateDnsVirtualNetworkLink @parameters2
   

5. Configure the DNS zone:

   $parameters3 = @{
       Name = 'privatelink.azurewebsites.net'
       PrivateDnsZoneId = $zone.ResourceId
   }
   $config = New-AzPrivateDnsZoneConfig @parameters3
   

6. Create the DNS zone group:

   $parameters4 = @{
       ResourceGroupName = 'CreatePrivateEndpointQS-rg'
       PrivateEndpointName = 'myPrivateEndpoint'
       Name = 'myZoneGroup'
       PrivateDnsZoneConfig = $config
   }
   New-AzPrivateDnsZoneGroup @parameters4
   

Test connectivity with the private endpoint

Finally, use the VM you created in the previous step to connect to the SQL server across the private endpoint.

1. Sign in to the Azure portal.

2. On the left pane, select Resource groups.

3. Select CreatePrivateEndpointQS-rg.

4. Select myVM.

5. On the overview page for myVM, select Connect, and then select Bastion.

6. Select the blue Use Bastion button.

7. Enter the username and password that you used when you created the VM.

8. After you've connected, open PowerShell on the server.

9. Enter nslookup <your-webapp-name>.azurewebsites.net. Replace <your-webapp-name> with the name of the web app that you created earlier. You'll receive a message that's similar to the following:

   Server:  UnKnown
   Address:  168.63.129.16
   
   Non-authoritative answer:
   Name:    mywebapp8675.privatelink.azurewebsites.net
   Address:  10.0.0.5
   Aliases:  mywebapp8675.azurewebsites.net
   

   A private IP address of 10.0.0.5 is returned for the web app name. This address is in the subnet of the virtual network that you created earlier.

10. In the bastion connection to myVM, open your web browser.

11. Enter the URL of your web app, https://<your-webapp-name>.azurewebsites.net.

    If your web app hasn't been deployed, you'll get the following default web app page:

    

12. Close the connection to myVM.

Clean up resources

When you're done using the private endpoint and the VM, use Remove-AzResourceGroup to remove the resource group and all the resources within it:

Remove-AzResourceGroup -Name CreatePrivateEndpointQS-rg -Force

What you've learned

In this quickstart, you created:

• A virtual network and bastion host
• A virtual machine
• A private endpoint for an Azure web app

You used the VM to securely test connectivity to the web app across the private endpoint.

Next steps

For more information about the services that support private endpoints, see:

What is Azure Private Link?