Quickstart: Create a private endpoint by using Azure PowerShell

Get started with Azure Private Link by using a private endpoint to connect securely to an Azure web app.

In this quickstart, you'll create a private endpoint for an Azure web app and then create and deploy a virtual machine (VM) to test the private connection.

You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.


  • An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.

  • An Azure web app with a PremiumV2-tier or higher app service plan, deployed in your Azure subscription.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install the Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create a resource group

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

New-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg' -Location 'eastus'

Create a virtual network and bastion host

A virtual network and subnet is required for to host the private IP address for the private endpoint. You'll create a bastion host to connect securely to the virtual machine to test the private endpoint. You'll create the virtual machine in a later section.

In this section, you'll:

## Configure the back-end subnet. ##
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix

## Create the Azure Bastion subnet. ##
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix

## Create the virtual network. ##
$net = @{
    Name = 'MyVNet'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'eastus'
    AddressPrefix = ''
    Subnet = $subnetConfig, $bastsubnetConfig
$vnet = New-AzVirtualNetwork @net

## Create the public IP address for the bastion host. ##
$ip = @{
    Name = 'myBastionIP'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'eastus'
    Sku = 'Standard'
    AllocationMethod = 'Static'
    Zone = 1,2,3
$publicip = New-AzPublicIpAddress @ip

## Create the bastion host. ##
$bastion = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'myBastion'
    PublicIpAddress = $publicip
    VirtualNetwork = $vnet
New-AzBastion @bastion -AsJob

Create a private endpoint

An Azure service that supports private endpoints is required to set up the private endpoint and connection to the virtual network. For the examples in this article, we're using an Azure WebApp from the prerequisites. For more information on the Azure services that support a private endpoint, see Azure Private Link availability.

A private endpoint can have a static or dynamically assigned IP address.


You must have a previously deployed Azure WebApp to proceed with the steps in this article. For more information, see Prerequisites.

In this section, you'll:

## Place the previously created webapp into a variable. ##
$webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg -Name myWebApp1979

## Create the private endpoint connection. ## 
$pec = @{
    Name = 'myConnection'
    PrivateLinkServiceId = $webapp.ID
    GroupID = 'sites'
$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec

## Place the virtual network you created previously into a variable. ##
$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

## Create the private endpoint. ##
$pe = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'myPrivateEndpoint'
    Location = 'eastus'
    Subnet = $vnet.Subnets[0]
    PrivateLinkServiceConnection = $privateEndpointConnection
New-AzPrivateEndpoint @pe

Configure the private DNS zone

A private DNS zone is used to resolve the DNS name of the private endpoint in the virtual network. For this example, we're using the DNS information for an Azure WebApp, for more information on the DNS configuration of private endpoints, see Azure Private Endpoint DNS configuration.

In this section, you'll:

## Place the virtual network into a variable. ##
$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

## Create the private DNS zone. ##
$zn = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'privatelink.azurewebsites.net'
$zone = New-AzPrivateDnsZone @zn

## Create a DNS network link. ##
$lk = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    ZoneName = 'privatelink.azurewebsites.net'
    Name = 'myLink'
    VirtualNetworkId = $vnet.Id
$link = New-AzPrivateDnsVirtualNetworkLink @lk

## Configure the DNS zone. ##
$cg = @{
    Name = 'privatelink.azurewebsites.net'
    PrivateDnsZoneId = $zone.ResourceId
$config = New-AzPrivateDnsZoneConfig @cg

## Create the DNS zone group. ##
$zg = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    PrivateEndpointName = 'myPrivateEndpoint'
    Name = 'myZoneGroup'
    PrivateDnsZoneConfig = $config
New-AzPrivateDnsZoneGroup @zg

Create a test virtual machine

To verify the static IP address and the functionality of the private endpoint, a test virtual machine connected to your virtual network is required.

In this section, you'll:

## Create the credential for the virtual machine. Enter a username and password at the prompt. ##
$cred = Get-Credential

## Place the virtual network into a variable. ##
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg

## Create a network interface for the virtual machine. ##
$nic = @{
    Name = 'myNicVM'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'eastus'
    Subnet = $vnet.Subnets[0]
$nicVM = New-AzNetworkInterface @nic

## Create the configuration for the virtual machine. ##
$vm1 = @{
    VMName = 'myVM'
    VMSize = 'Standard_DS1_v2'
$vm2 = @{
    ComputerName = 'myVM'
    Credential = $cred
$vm3 = @{
    PublisherName = 'MicrosoftWindowsServer'
    Offer = 'WindowsServer'
    Skus = '2019-Datacenter'
    Version = 'latest'
$vmConfig = 
New-AzVMConfig @vm1 | Set-AzVMOperatingSystem -Windows @vm2 | Set-AzVMSourceImage @vm3 | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine. ##
New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig


Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

For more information, see Default outbound access in Azure.

The default outbound access IP is disabled when either a public IP address is assigned to the VM or the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules. If an Azure Virtual Network network address translation (NAT) gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is disabled.

VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Use source network address translation (SNAT) for outbound connections.

Test connectivity with the private endpoint

Use the VM you created in the previous step to connect to the webapp across the private endpoint.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines.

  3. Select myVM.

  4. On the overview page for myVM, select Connect, and then select Bastion.

  5. Enter the username and password that you used when you created the VM. Select Connect.

  6. After you've connected, open PowerShell on the server.

  7. Enter nslookup mywebapp1979.azurewebsites.net. Replace mywebapp1979 with the name of the web app that you created earlier. You'll receive a message that's similar to the following example:

    Server:  UnKnown
    Non-authoritative answer:
    Name:    mywebapp1979.privatelink.azurewebsites.net
    Aliases:  mywebapp1979.azurewebsites.net
  8. In the bastion connection to myVM, open the web browser.

  9. Enter the URL of your web app, https://mywebapp1979.azurewebsites.net.

    If your web app hasn't been deployed, you'll get the following default web app page:

    Screenshot of the default web app page on a browser.

  10. Close the connection to myVM.

Next steps

For more information about the services that support private endpoints, see: