Azure Private Link frequently asked questions (FAQ)

Private Link

  • Azure Private Endpoint: Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. You can use Private Endpoints to connect to an Azure PaaS service that supports Private Link or to your own Private Link Service.
  • Azure Private Link Service: Azure Private Link service is a service created by a service provider. Currently, a Private Link service can be attached to the frontend IP configuration of a Standard Load Balancer.

Traffic is sent privately using Microsoft backbone. It doesn’t traverse the internet. Azure Private Link doesn't store customer data.

What is the difference between Service Endpoints and Private Endpoints?

  • Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
  • A service endpoint remains a publicly routable IP address. A private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.

Multiple private link resource types support access via Private Endpoint. Resources include Azure PaaS services and your own Private Link Service. It's a one-to-many relationship.

A Private Link service receives connections from multiple private endpoints. A private endpoint connects to one Private Link service.

Yes. Both Private endpoint and Private Link Service need to disable Network policies to function properly. They both have properties independent of one another.

Private Endpoint

Can I create multiple Private Endpoints in same VNet? Can they connect to different Services?

Yes. You can have multiple private endpoints in same VNet or subnet. They can connect to different services.

Do I require a dedicated subnet for private endpoints?

No. You don't require a dedicated subnet for private endpoints. You can choose a private endpoint IP from any subnet from the VNet where your service is deployed.

Yes. Private endpoints can connect to Private Link services or to an Azure PaaS across Azure Active Directory tenants. Private endpoints that connect across tenants require a manual request approval.

Can private endpoint connect to Azure PaaS resources across Azure regions?

Yes. Private endpoints can connect to Azure PaaS resources across Azure regions.

Can I modify my Private Endpoint Network Interface (NIC) ?

When a private endpoint is created, a read-only NIC is assigned. This cannot be modified and will remain for the life cycle of the Private endpoint.

How do I achieve availability while using private endpoints in case of regional failures ?

Private Endpoints are highly available resources with 99.99% SLA [SLA for Azure Private Link]. However, since they are regional resources, any Azure region outage can impact the availability. To achieve availability in case of regional failures, multiple PEs connected to same destination resource could be deployed in different regions. This way if one region goes down, you can still route the traffic for your recovery scenarios through PE in different region to access the destination resource. For info on how the regional failures are handled on destination service side, please review the service documentation on failover and recovery. Private Link traffic follows the Azure DNS resolution for destination endpoint.

Private Link Service

Your service backends should be in a Virtual network and behind a Standard Load Balancer.

You can scale your Private Link service in a few different ways:

  • Add Backend VMs to the pool behind your Standard Load Balancer
  • Add an IP to the Private Link service. We allow up to 8 IPs per Private Link service.
  • Add new Private Link service to Standard Load Balancer. We allow up to eight Private Link services per load balancer.

The NAT IP configuration ensures that there is no IP conflict between source (consumer side) and destination (service provider) address space by providing source NAT on the Private Link traffic on the destination side (service provider side). The NAT IP address will show up as Source IP for all packets received by your service and destination IP for all packets sent by your service. NAT IP can be chosen from any subnet in a service provider's virtual network.

Each NAT IP provides 64k TCP connections (64k ports) per VM behind the Standard Load Balancer. In order to scale and add more connections, you can either add new NAT IPs or add more VMs behind the Standard Load Balancer. Doing so will scale the port availability and allow for more connections. Connections will be distributed across NAT IPs and VMs behind the Standard Load Balancer.

Can I connect my service to multiple Private Endpoints?

Yes. One Private Link service can receive connections from multiple Private Endpoints. However one Private Endpoint can only connect to one Private Link service.

You can control the exposure using the visibility configuration on Private Link service. Visibility supports three settings:

  • None - Only subscriptions with Azure RBAC access can locate the service.
  • Restrictive - Only subscriptions that are approved and with Azure RBAC access can locate the service.
  • All - Everyone can locate the service.

No. Private Link service over a basic load balancer isn't supported.

No. Private Link service doesn’t require a dedicated subnet. You can choose any subnet in your VNet where your service is deployed.

No. Azure Private Link provides this functionality for you. You aren't required to have non-overlapping address space with your customer's address space.

Next steps