Enable private access with Private Link (preview)

This article describes the different ways to enable Private Link with a private endpoint for an Azure Digital Twins instance (currently in preview). Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure, as well as avoid data exfiltration from your Azure Virtual Network (VNet).

Here are the steps that are covered in this article:

  1. Turn on Private Link and configure a private endpoint for an Azure Digital Twins instance.
  2. View, edit, or delete a private endpoint from an instance.
  3. Disable or enable public network access flags, to restrict API access to Private Link connections only.

Prerequisites

Before you can set up a private endpoint, you'll need an Azure Virtual Network (VNet) where the endpoint can be deployed. If you don't have a VNet already, you can follow one of the Azure Virtual Network quickstarts to set this up.

Add a private endpoint to Azure Digital Twins

You can use either the Azure portal or the Azure CLI to turn on Private Link with a private endpoint for an Azure Digital Twins instance.

If you want to set up Private Link as part of the instance's initial setup, you'll need to use the Azure portal. If you want to enable Private Link on an instance after it's been created, you can use either the Azure portal or the Azure CLI. Any of these creation methods will give the same configuration options and the same end result for your instance.

Use the tabs in the sections below to select instructions for your preferred experience.

Tip

You can also set up a Private Link endpoint through the Private Link service, instead of through your Azure Digital Twins instance. This also gives the same configuration options and the same end result.

For more details about setting up Private Link resources, see Private Link documentation for the Azure portal, Azure CLI, Azure Resource Manager, or PowerShell.

Add a private endpoint during instance creation

In this section, you'll create a private endpoint with Private Link as part of the initial setup of an Azure Digital Twins instance. This action can only be done in the Azure portal.

This section describes how to turn on Private Link while setting up an Azure Digital Twins instance in the Azure portal.

The Private Link options are located in the Networking tab of instance setup.

  1. Begin setting up an Azure Digital Twins instance in the Azure portal. For instructions, see Set up an instance and authentication.

  2. When you reach the Networking tab of instance setup, you can enable private endpoints by selecting the Private endpoint option for the Connectivity method.

    This will add a section called Private endpoint connections where you can configure the details of your private endpoint. Select the + Add button to continue.

    Screenshot of the Azure portal showing the Networking tab of a new Azure Digital Twins instance, highlighting how to create a private endpoint. The 'Add' button is highlighted.

  3. In the Create private endpoint page that opens, enter the details of a new private endpoint.

    Screenshot of the Azure portal showing the Create private endpoint page. It contains the fields described below.

    1. Fill in selections for your Subscription and Resource group. Set the Location to the same location as the VNet you'll be using. Choose a Name for the endpoint, and for Target sub-resources select API.

    2. Next, select the Virtual network and Subnet you want to use to deploy the endpoint.

    3. Lastly, select whether to Integrate with private DNS zone. You can use the default of Yes or, for help with this option, you can follow the link in the portal to learn more about private DNS integration.

    4. After filling out the configuration options, select OK to finish.

  4. This will return you to the Networking tab of the Azure Digital Twins instance setup. Verify that your new endpoint is visible under Private endpoint connections.

    Screenshot of the Azure portal showing the Networking tab of an Azure Digital Twins with a newly created private endpoint.

  5. Use the bottom navigation buttons to continue with the rest of instance setup.

Add a private endpoint to an existing instance

In this section, you'll enable Private Link with a private endpoint for an Azure Digital Twins instance that already exists.

  1. First, navigate to the Azure portal in a browser. Bring up your Azure Digital Twins instance by searching for its name in the portal search bar.

  2. Select Networking (preview) in the left-hand menu.

  3. Switch to the Private endpoint connections tab.

  4. Select + Private endpoint to open the Create a private endpoint setup.

    Screenshot of the Azure portal showing the Networking page for an existing Azure Digital Twins instance, highlighting how to create private endpoints.

  5. In the Basics tab, enter or select the Subscription and Resource group of your project, and a Name and Region for your endpoint. The region needs to be the same as the region for the VNet you're using.

    Screenshot of the Azure portal showing the first (Basics) tab of the Create a private endpoint dialog. It contains the fields described above.

    When you're finished, select the Next : Resource > button to go to the next tab.

  6. In the Resource tab, enter or select this information:

    • Connection method: Select Connect to an Azure resource in my directory to search for your Azure Digital Twins instance.
    • Subscription: Enter your subscription.
    • Resource type: Select Microsoft.DigitalTwins/digitalTwinsInstances
    • Resource: Select the name of your Azure Digital Twins instance.
    • Target sub-resource: Select API.

    Screenshot of the Azure portal showing the second (Resource) tab of the Create a private endpoint dialog. It contains the fields described above.

    When you're finished, select the Next : Configuration > button to go to the next tab.

  7. In the Configuration tab, enter or select this information:

    • Virtual network: Select your virtual network.
    • Subnet: Choose a subnet from your virtual network.
    • Integrate with private DNS zone: Select whether to Integrate with private DNS zone. You can use the default of Yes or, for help with this option, you can follow the link in the portal to learn more about private DNS integration. If you select Yes, you can leave the default configuration information.

    Screenshot of the Azure portal showing the third (Configuration) tab of the Create a private endpoint dialog. It contains the fields described above.

    When you're finished, you can select the Review + create button to finish setup.

  8. In the Review + create tab, review your selections and select the Create button.

When the endpoint is finished deploying, it should show up in the private endpoint connections for your Azure Digital Twins instance.

Manage private endpoint connections

In this section, you'll see how to view, edit, and delete a private endpoint after it's been created.

Once a private endpoint has been created for your Azure Digital Twins instance, you can view it in the Networking (preview) tab for your Azure Digital Twins instance. This page will show all the private endpoint connections associated with the instance.

Screenshot of the Azure portal showing the Networking page for an existing Azure Digital Twins instance with one private endpoint.

Select the endpoint to view its information in detail, make changes to its configuration settings, or delete the connection.

Tip

The endpoint can also be viewed from the Private Link Center in the Azure portal.

Disable / enable public network access flags

You can configure your Azure Digital Twins instance to deny all public connections and allow only connections through private endpoints to enhance the network security. This action is done with a public network access flag.

This policy allows you to restrict API access to Private Link connections only. When the public network access flag is set to disabled, all REST API calls to the Azure Digital Twins instance data plane from the public cloud will return 403, Unauthorized. Alternatively, when the policy is set to disabled and a request is made through a private endpoint, the API call will succeed.

You can update the value of the network flag using the Azure portal, Azure CLI or ARMClient command tool.

To disable or enable public network access in the Azure portal, open the portal and navigate to your Azure Digital Twins instance.

  1. Select Networking (preview) in the left-hand menu.

  2. In the Public access tab, set Allow public network access to either Disabled or All networks.

    Select Save.

Next steps

Learn more about Private Link for Azure: