Azure Load Balancer-Private Endpoint configuration questions.

Question

Hello!

I'm selee.
I have a question while testing the configuration of LB-Private endpoint-PaaS DB.
Please add me!

architecture)
![196652-arch.png][1]
I cropped the picture. Please forgive me.

All vnets and resource groups have only 2 subnets.
It is a structure that communicates from another subnet to that subnet.
Of course, the PaaS DB is in the same vnet.
subnet1) lb - app server
subnet2) lb - private endpoint

Symptom)
When the VM (MSSQL manual installation) was connected to the backend LB (display part) backend pool, communication was confirmed, but after configuring the backend as a private endpoint resource, communication through the LB is not possible.
(I set the backend pool to a private endpoint ip when configuring lb)

However, when I directly stabbed the SQL server, the communication check is working normally.
I don't understand. Why can't I communicate through lb? What am I missing?

Configuration)

1. I know that a standard LB is a prerequisite for a private endpoint, so I first configured it with a standard LB.
   (LB Probe: TCP/1433, LB rule: port, backend 1433 configuration)
2. LB setting in the LB-Private Endpoint section: Configure the Backend Pool configuration as IP (Private Endpoint) instead of NIC.

Conclusion/Inquiry)

1. If it is a VM that is not a private endpoint at the rear end of the LB, communication through LB is possible. If BUT Private Endpoint resource is connected, communication through LB is not possible.
2. When configuring Private Endpoint, communication is possible through server direct, but communication is not possible through VIP.

How can I configure LB in this configuration? Or do I need to configure additional settings related to private endpoints?

• I know that a private link is used to connect a PaaS DB in Azure. Is it correct to use both a private link and a private endpoint?

I wonder if Private Endpoint and Private Link are resources that should always go together.
I'm not sure about the exact difference between private link and private endpoint.

I also tried configuring a private link, but the symptoms were the same.

I think that the architecture does not need a private link as the vnet is the same, did I misunderstand it?

Poor readability, verbose words, but please add!

Regards,
selee

Answer 1

@selee Thank you for posting your query on Microsoft Q&A and for using Azure services.

Let's break this down and try to answer question by question.
You are trying get a clear understanding on how private link and private endpoint work.

When configuring Private Endpoint, communication is possible through server direct, but communication is not possible through VIP.
Private Link service can be accessed from approved private endpoints in the same region. The private endpoint can be reached from the same virtual network, regionally peered VNets, globally peered VNets and on premises using private VPN or ExpressRoute connections.
When creating a Private Link Service, a network interface is created for the lifecycle of the resource. This interface is not manageable by the customer.

A single Private Link Service can be accessed from multiple Private Endpoints belonging to different VNets, subscriptions and/or Active Directory tenants. The connection is established through a connection workflow.

I'm not sure about the exact difference between private link and private endpoint.

Azure Private Endpoint: Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. You can use Private Endpoints to connect to an Azure PaaS service that supports Private Link or to your own Private Link Service.
Azure Private Link Service: Azure Private Link service is a service created by a service provider. Currently, a Private Link service can be attached to the frontend IP configuration of a Standard Load Balancer.

Reference: Private link frequently asked questions

Additional info: The Private Link Service must be deployed in the same region as the virtual network.