Quickstart: Create a Private Endpoint using Azure CLI

Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.


Create a resource group

An Azure resource group is a logical container into which Azure resources are deployed and managed.

Create a resource group with az group create:

  • Named CreatePrivateEndpointQS-rg.
  • In the eastus location.
az group create \
    --name CreatePrivateEndpointQS-rg \
    --location eastus

Create a virtual network and bastion host

In this section, you'll create a virtual network, subnet, and bastion host.

The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

Create a virtual network with az network vnet create

  • Named myVNet.
  • Address prefix of
  • Subnet named myBackendSubnet.
  • Subnet prefix of
  • In the CreatePrivateEndpointQS-rg resource group.
  • Location of eastus.
az network vnet create \
    --resource-group CreatePrivateEndpointQS-rg\
    --location eastus \
    --name myVNet \
    --address-prefixes \
    --subnet-name myBackendSubnet \

Update the subnet to disable private endpoint network policies for the private endpoint with az network vnet subnet update:

az network vnet subnet update \
    --name myBackendSubnet \
    --resource-group CreatePrivateEndpointQS-rg \
    --vnet-name myVNet \
    --disable-private-endpoint-network-policies true

Use az network public-ip create to create a public ip address for the bastion host:

  • Create a standard zone redundant public IP address named myBastionIP.
  • In CreatePrivateEndpointQS-rg.
az network public-ip create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myBastionIP \
    --sku Standard

Use az network vnet subnet create to create a bastion subnet:

  • Named AzureBastionSubnet.
  • Address prefix of
  • In virtual network myVNet.
  • In resource group CreatePrivateEndpointQS-rg.
az network vnet subnet create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name AzureBastionSubnet \
    --vnet-name myVNet \

Use az network bastion create to create a bastion host:

  • Named myBastionHost.
  • In CreatePrivateEndpointQS-rg.
  • Associated with public IP myBastionIP.
  • Associated with virtual network myVNet.
  • In eastus location.
az network bastion create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myBastionHost \
    --public-ip-address myBastionIP \
    --vnet-name myVNet \
    --location eastus

It can take a few minutes for the Azure Bastion host to deploy.

Create test virtual machine

In this section, you'll create a virtual machine that will be used to test the private endpoint.

Create a VM with az vm create. When prompted, provide a password to be used as the credentials for the VM:

  • Named myVM.
  • In CreatePrivateEndpointQS-rg.
  • In network myVNet.
  • In subnet myBackendSubnet.
  • Server image Win2019Datacenter.
az vm create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myVM \
    --image Win2019Datacenter \
    --public-ip-address "" \
    --vnet-name myVNet \
    --subnet myBackendSubnet \
    --admin-username azureuser


Azure provides an default outbound access IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when a public IP address is assigned to the virtual machine or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is disabled.

For more information on outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

Create private endpoint

In this section, you'll create the private endpoint.

Use az webapp list to place the resource ID of the Web app you previously created into a shell variable.

Use az network private-endpoint create to create the endpoint and connection:

  • Named myPrivateEndpoint.
  • In resource group CreatePrivateEndpointQS-rg.
  • In virtual network myVNet.
  • In subnet myBackendSubnet.
  • Connection named myConnection.
  • Your webapp <webapp-resource-group-name>.
id=$(az webapp list \
    --resource-group <webapp-resource-group-name> \
    --query '[].[id]' \
    --output tsv)

az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group CreatePrivateEndpointQS-rg \
    --vnet-name myVNet --subnet myBackendSubnet \
    --private-connection-resource-id $id \
    --group-id sites \
    --connection-name myConnection  

Configure the private DNS zone

In this section, you'll create and configure the private DNS zone using az network private-dns zone create.

You'll use az network private-dns link vnet create to create the virtual network link to the dns zone.

You'll create a dns zone group with az network private-endpoint dns-zone-group create.

  • Zone named privatelink.azurewebsites.net
  • In virtual network myVNet.
  • In resource group CreatePrivateEndpointQS-rg.
  • DNS link named myDNSLink.
  • Associated with myPrivateEndpoint.
  • Zone group named MyZoneGroup.
az network private-dns zone create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name "privatelink.azurewebsites.net"

az network private-dns link vnet create \
    --resource-group CreatePrivateEndpointQS-rg \
    --zone-name "privatelink.azurewebsites.net" \
    --name MyDNSLink \
    --virtual-network myVNet \
    --registration-enabled false

az network private-endpoint dns-zone-group create \
   --resource-group CreatePrivateEndpointQS-rg \
   --endpoint-name myPrivateEndpoint \
   --name MyZoneGroup \
   --private-dns-zone "privatelink.azurewebsites.net" \
   --zone-name webapp

Test connectivity to private endpoint

In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.

  1. Sign in to the Azure portal

  2. Select Resource groups in the left-hand navigation pane.

  3. Select CreatePrivateEndpointQS-rg.

  4. Select myVM.

  5. On the overview page for myVM, select Connect then Bastion.

  6. Select the blue Use Bastion button.

  7. Enter the username and password that you entered during the virtual machine creation.

  8. Open Windows PowerShell on the server after you connect.

  9. Enter nslookup <your-webapp-name>.azurewebsites.net. Replace <your-webapp-name> with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:

    Server:  UnKnown
    Non-authoritative answer:
    Name:    mywebapp8675.privatelink.azurewebsites.net
    Aliases:  mywebapp8675.azurewebsites.net

    A private IP address of is returned for the web app name. This address is in the subnet of the virtual network you created previously.

  10. In the bastion connection to myVM, open Internet Explorer.

  11. Enter the url of your web app, https://<your-webapp-name>.azurewebsites.net.

  12. You'll receive the default web app page if your application hasn't been deployed:

    Default web app page.

  13. Close the connection to myVM.

Clean up resources

When you're done using the private endpoint and the VM, use az group delete to remove the resource group and all the resources it has:

az group delete \
    --name CreatePrivateEndpointQS-rg

Next steps

In this quickstart, you created a:

  • Virtual network and bastion host.
  • Virtual machine.
  • Private endpoint for an Azure Web App.

You used the virtual machine to test connectivity securely to the web app across the private endpoint.

For more information on the services that support a private endpoint, see: