Use portal to create private link for managing Azure resources

This article explains how you can use Azure Private Link to restrict access for managing resources in your subscriptions. It shows using the Azure portal for setting up management of resources through private access.

Private links enable you to access Azure services over a private endpoint in your virtual network. When you combine private links with Azure Resource Manager's operations, you block users who aren't at the specific endpoint from managing resources. If a malicious user gets credentials to an account in your subscription, that user can't manage the resources without being at the specific endpoint.

Private link provides the following security benefits:

  • Private Access - users can manage resources from a private network via a private endpoint.
  • Data exfiltration - users are denied access to resources not included in the scope.

Note

Azure Kubernetes Service (AKS) currently doesn't support the ARM private endpoint implementation.

Azure Bastion doesn't support private DNS zones, which are a recommended configuration for your private endpoint. Enabling a private DNS zone will cause your Bastion instance to stop working.

Understand architecture

For this release, you can only apply private link management access at the level of the root management group. This limitation means private link access is applied across your tenant.

There are two resource types you'll use when implementing management through a private link.

  • Resource management private link (Microsoft.Authorization/resourceManagementPrivateLinks)
  • Private link association (Microsoft.Authorization/privateLinkAssociations)

The following image shows how to construct a solution that restricts access for managing resources.

Resource management private link diagram

The private link association extends the root management group. The private link association and the private endpoints reference the resource management private link.

Important

Multi-tenant accounts aren't currently supported for managing resources through a private link. You can't connect private link associations on different tenants to a single resource management private link.

If your account accesses more than one tenant, define a private link for only one of them.

Workflow

To set up a private link for resources, use the following steps. The steps are described in greater detail later in this article.

  1. Create the resource management private link.
  2. Create a private link association. The private link association extends the root management group. It also references the resource ID for the resource management private link.
  3. Add a private endpoint that references the resource management private link.

After completing those steps, you can manage Azure resources that are within the hierarchy of the scope. You use a private endpoint that is connected to the subnet.

You can monitor access to the private link. For more information, see Logging and monitoring.

Required permissions

To set up the private link for resource management, you need the following access:

  • Owner on the subscription. This access is needed to create resource management private link resource.
  • Owner or Contributor at the root management group. This access is needed to create the private link association resource.
  • The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles at the root management group. To enable creating resource management private links, the Global Administrator must have permission to read root management group and elevate access to have User Access Administrator permission on all subscriptions and management groups in the tenant. After you get the User Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at the root management group to the user creating the private link association.

When you create a resource management private link, the private link association is automatically created for you.

  1. In the portal, search for Resource management private links and select it from the available options.

    Search for resource management private links

  2. If your subscription doesn't already have resource management private links, you'll see a blank page. Select Create resource management private link.

    Select create for resource management private links

  3. Provide values for the new resource management private link. The root management group for the directory you selected is used for the new resource. Select Review + create.

    Specify values for resource management private links

  4. After validation passes, select Create.

Create private endpoint

Now, create a private endpoint that references the resource management private link.

  1. Navigate to the Private Link Center. Select Create private endpoint.

    Select private link center

  2. In the Basics tab, provide values for your private endpoint.

    Provide values for basics

  3. In the Resource tab, select Connect to an Azure resource in my directory. For resource type, select Microsoft.Authorization/resourceManagementPrivateLinks. For target subresource, select ResourceManagement.

    Provide values for resource

  4. In the Configuration tab, select your virtual network. We recommend integrating with a private DNS zone. Select Review + create.

  5. After validation passes, select Create.

Verify private DNS zone

To make sure your environment is properly configured, check the local IP address for the DNS zone.

  1. In the resource group where you deployed the private endpoint, select the private DNS zone resource named privatelink.azure.com.

  2. Verify that the record set named management has a valid local IP address.

    Verify local IP address

Next steps

To learn more about private links, see Azure Private Link.