Quickstart: Create a private endpoint using Azure CLI

Private Endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to communicate privately with Private Link Resources. In this Quickstart, you will learn how to create a VM on a virtual network, a SQL Database Server with a Private Endpoint using Azure CLI. Then, you can access the VM to and securely access the private link resource (a private Azure SQL Database server in this example).

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

If you decide to install and use Azure CLI locally instead, this quickstart requires you to use Azure CLI version 2.0.28 or later. To find your installed version, run az --version. See Install Azure CLI for install or upgrade info.

Create a resource group

Before you can create any resource, you have to create a resource group to host the Virtual Network. Create a resource group with az group create. This example creates a resource group named myResourceGroup in the westcentralus location:

az group create --name myResourceGroup --location westcentralus

Create a Virtual Network

Create a Virtual Network with az network vnet create. This example creates a default Virtual Network named myVirtualNetwork with one subnet named mySubnet:

az network vnet create \
 --name myVirtualNetwork \
 --resource-group myResourceGroup \
 --subnet-name mySubnet

Disable subnet private endpoint policies

Azure deploys resources to a subnet within a virtual network, so you need to create or update the subnet to disable private endpoint network policies. Update a subnet configuration named mySubnet with az network vnet subnet update:

az network vnet subnet update \
 --name mySubnet \
 --resource-group myResourceGroup \
 --vnet-name myVirtualNetwork \
 --disable-private-endpoint-network-policies true

Create the VM

Create a VM with az vm create. When prompted, provide a password to be used as the sign-in credentials for the VM. This example creates a VM named myVm:

az vm create \
  --resource-group myResourceGroup \
  --name myVm \
  --image Win2019Datacenter

Note the public IP address of the VM. You will use this address to connect to the VM from the internet in the next step.

Create a SQL Database Server

Create a SQL Database Server with the az sql server create command. Remember that the name of your SQL Server must be unique across Azure, so replace the placeholder value in brackets with your own unique value:

# Create a logical server in the resource group 
az sql server create \ 
    --name "myserver"\ 
    --resource-group myResourceGroup \ 
    --location WestUS \ 
    --admin-user "sqladmin" \ 
    --admin-password "CHANGE_PASSWORD_1" 
# Create a database in the server with zone redundancy as false 
az sql db create \ 
    --resource-group myResourceGroup  \ 
    --server myserver \ 
    --name mySampleDatabase \ 
    --sample-name AdventureWorksLT \ 
    --edition GeneralPurpose \ 
    --family Gen4 \ 
    --capacity 1 

Note the SQL Server ID is similar to /subscriptions/subscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Sql/servers/myserver. You will use the SQL Server ID in the next step.

Create the Private Endpoint

Create a private endpoint for the SQL Database server in your Virtual Network:

az network private-endpoint create \  
    --name myPrivateEndpoint \  
    --resource-group myResourceGroup \  
    --vnet-name myVirtualNetwork  \  
    --subnet mySubnet \  
    --private-connection-resource-id "<SQL Server ID>" \  
    --group-ids sqlServer \  
    --connection-name myConnection  

Configure the Private DNS Zone

Create a Private DNS Zone for SQL Database server domain and create an association link with the Virtual Network.

az network private-dns zone create --resource-group myResourceGroup \ 
   --name  "privatelink.database.windows.net" 
az network private-dns link vnet create --resource-group myResourceGroup \ 
   --zone-name  "privatelink.database.windows.net"\ 
   --name MyDNSLink \ 
   --virtual-network myVirtualNetwork \ 
   --registration-enabled false 

#Query for the network interface ID  
networkInterfaceId=$(az network private-endpoint show --name myPrivateEndpoint --resource-group myResourceGroup --query 'networkInterfaces[0].id' -o tsv)
az resource show --ids $networkInterfaceId --api-version 2019-04-01 -o json 
# Copy the content for privateIPAddress and FQDN matching the SQL server name 
#Create DNS records 
az network private-dns record-set a create --name myserver --zone-name privatelink.database.windows.net --resource-group myResourceGroup  
az network private-dns record-set a add-record --record-set-name myserver --zone-name privatelink.database.windows.net --resource-group myResourceGroup -a <Private IP Address>

Connect to a VM from the internet

Connect to the VM myVm from the internet as follows:

  1. In the portal's search bar, enter myVm.

  2. Select the Connect button. After selecting the Connect button, Connect to virtual machine opens.

  3. Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.

  4. Open the downloaded.rdp* file.

    1. If prompted, select Connect.

    2. Enter the username and password you specified when creating the VM.


      You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.

  5. Select OK.

  6. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.

  7. Once the VM desktop appears, minimize it to go back to your local desktop.

Access SQL Database Server privately from the VM

In this section, you will connect to the SQL Database Server from the VM using the Private Endpoint.

  1. In the Remote Desktop of myVM, open PowerShell.
  2. Enter nslookup myserver.database.windows.net  You'll receive a message similar to this:
      Server:  UnKnown 
      Non-authoritative answer: 
      Name:    myserver.privatelink.database.windows.net 
      Aliases:  myserver.database.windows.net 
  1. Install SQL Server Management Studio

  2. In Connect to server, enter or select this information: Server type: Select Database Engine. Server name: Select myserver.database.windows.net Username: Enter a username provided during creation. Password: Enter a password provided during creation. Remember password: Select Yes.

  3. Select Connect.

  4. Browse Databases from left menu.

  5. (Optionally) Create or query information from mydatabase

  6. Close the remote desktop connection to myVm.

Clean up resources

When no longer needed, you can use az group delete to remove the resource group and all the resources it has:

az group delete --name myResourceGroup --yes 

Next steps