Create a private endpoint using Azure PowerShell

A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources.

In this Quickstart, you will learn how to create a VM on an Azure Virtual Network, a SQL Database Server with an Azure private endpoint using Azure PowerShell. Then, you can securely access the SQL Database Server from the VM.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

Create a resource group

Before you can create your resources, you must create a resource group that hosts the Virtual Network and the private endpoint with New-AzResourceGroup. The following example creates a resource group named myResourceGroup in the WestUS location:

New-AzResourceGroup `
  -ResourceGroupName myResourceGroup `
  -Location westcentralus

Create a Virtual Network

In this section, you create a virtual network and a subnet. Next, you associate the subnet to your Virtual Network.

Create a Virtual Network

Create a Virtual network for your private endpoint with New-AzVirtualNetwork. The following example creates a Virtual Network named MyVirtualNetwork:

$virtualNetwork = New-AzVirtualNetwork `
  -ResourceGroupName myResourceGroup `
  -Location westcentralus `
  -Name myVirtualNetwork `

Add a Subnet

Azure deploys resources to a subnet within a Virtual Network, so you need to create a subnet. Create a subnet configuration named mySubnet with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet named mySubnet with the private endpoint network policy flag set to Disabled.

$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
  -Name mySubnet `
  -AddressPrefix `
  -PrivateEndpointNetworkPoliciesFlag "Disabled" `
  -VirtualNetwork $virtualNetwork


It's easy to confuse the PrivateEndpointNetworkPoliciesFlag parameter with another available flag, PrivateLinkServiceNetworkPoliciesFlag, because they are both long words and have similar appearance. Make sure you are using the right one, PrivateEndpointNetworkPoliciesFlag.

Associate the Subnet to the Virtual Network

You can write the subnet configuration to the Virtual Network with Set-AzVirtualNetwork. This command creates the subnet:

$virtualNetwork | Set-AzVirtualNetwork

Create a Virtual Machine

Create a VM in the Virtual Network with New-AzVM. When you run the next command, you're prompted for credentials. Enter a user name and password for the VM:

New-AzVm `
    -ResourceGroupName "myResourceGroup" `
    -Name "myVm" `
    -Location "westcentralus" `
    -VirtualNetworkName "MyVirtualNetwork" `
    -SubnetName "mySubnet" `
    -SecurityGroupName "myNetworkSecurityGroup" `
    -PublicIpAddressName "myPublicIpAddress" `
    -OpenPorts 80,3389 `

The -AsJob option creates the VM in the background. You can continue to the next step.

When Azure starts creating the VM in the background, you'll get something like this back:

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
1      Long Running... AzureLongRun... Running       True            localhost            New-AzVM

Create a SQL Database Server

Create a SQL Database Server by using the New-AzSqlServer command. Remember that the name of your SQL Database server must be unique across Azure, so replace the placeholder value in brackets with your own unique value:

$adminSqlLogin = "SqlAdmin"
$password = "ChangeYourAdminPassword1"

$server = New-AzSqlServer -ResourceGroupName "myResourceGroup" `
    -ServerName "myserver" `
    -Location "WestCentralUS" `
    -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminSqlLogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))

New-AzSqlDatabase  -ResourceGroupName "myResourceGroup" `
    -ServerName "myserver"`
    -DatabaseName "myda"`
    -RequestedServiceObjectiveName "S0" `
    -SampleName "AdventureWorksLT"

Create a Private Endpoint

Private Endpoint for the SQL Database Server in your Virtual Network with New-AzPrivateLinkServiceConnection:

$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "myConnection" `
  -PrivateLinkServiceId $server.ResourceId `
  -GroupId "sqlServer" 
$virtualNetwork = Get-AzVirtualNetwork -ResourceGroupName  "myResourceGroup" -Name "MyVirtualNetwork"  
$subnet = $virtualNetwork `
  | Select -ExpandProperty subnets `
  | Where-Object  {$_.Name -eq 'mysubnet'}  
$privateEndpoint = New-AzPrivateEndpoint -ResourceGroupName "myResourceGroup" `
  -Name "myPrivateEndpoint" `
  -Location "westcentralus" `
  -Subnet  $subnet`
  -PrivateLinkServiceConnection $privateEndpointConnection

Configure the Private DNS Zone

Create a private DNS zone for SQL Database Server domain and create an association link with the virtual network:

$zone = New-AzPrivateDnsZone -ResourceGroupName "myResourceGroup" `
  -Name "" 
$link  = New-AzPrivateDnsVirtualNetworkLink -ResourceGroupName "myResourceGroup" `
  -ZoneName ""`
  -Name "mylink" `
  -VirtualNetworkId $virtualNetwork.Id  
$networkInterface = Get-AzResource -ResourceId $privateEndpoint.NetworkInterfaces[0].Id -ApiVersion "2019-04-01" 
foreach ($ipconfig in $ { 
foreach ($fqdn in $ { 
Write-Host "$($ $($fqdn)"  
$recordName = $fqdn.split('.',2)[0] 
$dnsZone = $fqdn.split('.',2)[1] 
New-AzPrivateDnsRecordSet -Name $recordName -RecordType A -ZoneName ""  `
-ResourceGroupName "myResourceGroup" -Ttl 600 `
-PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $  

Connect to a VM from the internet

Use Get-AzPublicIpAddress to return the public IP address of a VM. This example returns the public IP address of the myVM VM:

Get-AzPublicIpAddress `
  -Name myPublicIpAddress `
  -ResourceGroupName myResourceGroup `
  | Select IpAddress 

Open a command prompt on your local computer. Run the mstsc command. Replace with the public IP address returned from the last step:


If you've been running these commands from a PowerShell prompt on your local computer, and you're using the Az PowerShell module version 1.0 or later, you can continue in that interface.

mstsc /v:<publicIpAddress>
  1. If prompted, select Connect.
  2. Enter the user name and password you specified when creating the VM.


You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.

  1. Select OK.
  2. You may receive a certificate warning. If you do, select Yes or Continue.

Access SQL Database Server privately from the VM

  1. In the Remote Desktop of myVM, open PowerShell.

  2. Enter nslookup

    You'll receive a message similar to this:

    Server:  UnKnown
    Non-authoritative answer:
  3. Install SQL Server Management Studio

  4. In Connect to server, enter or select this information: Setting Value Server type Select Database Engine. Server name Select Username Enter a username provided during creation. Password Enter a password provided during creation. Remember password Select Yes.

  5. Select Connect.

  6. Browse Databases from left menu.

  7. (Optionally) Create or query information from mydatabase

  8. Close the remote desktop connection to myVM.

Clean up resources

When you're done using the private endpoint, SQL Database server and the VM, use Remove-AzResourceGroup to remove the resource group and all the resources it has:

Remove-AzResourceGroup -Name myResourceGroup -Force

Next steps