Create a private endpoint using Azure PowerShell

A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources.

In this Quickstart, you will learn how to create a VM on an Azure Virtual Network, a SQL Database Server with an Azure private endpoint using Azure PowerShell. Then, you can securely access the SQL Database Server from the VM.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. Cloud Shell lets you use either bash or PowerShell to work with Azure services. You can use the Cloud Shell pre-installed commands to run the code in this article without having to install anything on your local environment.

To launch Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Launch Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.

  4. Press Enter to run the code.

Create a resource group

Before you can create your resources, you must create a resource group that hosts the Virtual Network and the private endpoint with New-AzResourceGroup. The following example creates a resource group named myResourceGroup in the WestUS location:


New-AzResourceGroup `
  -ResourceGroupName myResourceGroup `
  -Location westcentralus

Create a Virtual Network

In this section, you create a virtual network and a subnet. Next, you associate the subnet to your Virtual Network.

Create a Virtual Network

Create a Virtual network for your private endpoint with New-AzVirtualNetwork. The following example creates a Virtual Network named MyVirtualNetwork:


$virtualNetwork = New-AzVirtualNetwork `
  -ResourceGroupName myResourceGroup `
  -Location westcentralus `
  -Name myVirtualNetwork `
  -AddressPrefix 10.0.0.0/16

Add a Subnet

Azure deploys resources to a subnet within a Virtual Network, so you need to create a subnet. Create a subnet configuration named mySubnet with Add-AzVirtualNetworkSubnetConfig. The following example creates a subnet named mySubnet with the private endpoint network policy flag set to Disabled.

$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
  -Name mySubnet `
  -AddressPrefix 10.0.0.0/24 `
  -PrivateEndpointNetworkPoliciesFlag "Disabled" `
  -VirtualNetwork $virtualNetwork

Associate the Subnet to the Virtual Network

You can write the subnet configuration to the Virtual Network with Set-AzVirtualNetwork. This command creates the subnet:

$virtualNetwork | Set-AzVirtualNetwork

Create a Virtual Machine

Create a VM in the Virtual Network with New-AzVM. When you run the next command, you're prompted for credentials. Enter a user name and password for the VM:

New-AzVm `
    -ResourceGroupName "myResourceGroup" `
    -Name "myVm" `
    -Location "westcentralus" `
    -VirtualNetworkName "MyVirtualNetwork" `
    -SubnetName "mySubnet" `
    -SecurityGroupName "myNetworkSecurityGroup" `
    -PublicIpAddressName "myPublicIpAddress" `
    -OpenPorts 80,3389 `
    -AsJob  

The -AsJob option creates the VM in the background. You can continue to the next step.

When Azure starts creating the VM in the background, you'll get something like this back:

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
1      Long Running... AzureLongRun... Running       True            localhost            New-AzVM

Create a SQL Database Server

Create a SQL Database Server by using the New-AzSqlServer command. Remember that the name of your SQL Database server must be unique across Azure, so replace the placeholder value in brackets with your own unique value:

$adminSqlLogin = "SqlAdmin"
$password = "ChangeYourAdminPassword1"

$server = New-AzSqlServer -ResourceGroupName "myResourceGroup" `
    -ServerName "myserver" `
    -Location "WestCentralUS" `
    -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminSqlLogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))

New-AzSqlDatabase  -ResourceGroupName "myResourceGroup" `
    -ServerName "myserver"`
    -DatabaseName "myda"`
    -RequestedServiceObjectiveName "S0" `
    -SampleName "AdventureWorksLT"

Create a Private Endpoint

Private Endpoint for the SQL Database Server in your Virtual Network with New-AzPrivateLinkServiceConnection:


$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "myConnection" `
  -PrivateLinkServiceId $server.ResourceId `
  -GroupId "sqlServer" 
 
$virtualNetwork = Get-AzVirtualNetwork -ResourceGroupName  "myResourceGroup" -Name "MyVirtualNetwork"  
 
$subnet = $virtualNetwork `
  | Select -ExpandProperty subnets `
  | Where-Object  {$_.Name -eq 'mysubnet'}  
 
$privateEndpoint = New-AzPrivateEndpoint -ResourceGroupName "myResourceGroup" `
  -Name "myPrivateEndpoint" `
  -Location "westcentralus" `
  -Subnet  $subnet`
  -PrivateLinkServiceConnection $privateEndpointConnection

Configure the Private DNS Zone

Create a private DNS zone for SQL Database Server domain and create an association link with the virtual network:


$zone = New-AzPrivateDnsZone -ResourceGroupName "myResourceGroup" `
  -Name "privatelink.database.windows.net" 
 
$link  = New-AzPrivateDnsVirtualNetworkLink -ResourceGroupName "myResourceGroup" `
  -ZoneName "privatelink.database.windows.net"`
  -Name "mylink" `
  -VirtualNetworkId $virtualNetwork.Id  
 
$networkInterface = Get-AzResource -ResourceId $privateEndpoint.NetworkInterfaces[0].Id -ApiVersion "2019-04-01" 
 
foreach ($ipconfig in $networkInterface.properties.ipConfigurations) { 
foreach ($fqdn in $ipconfig.properties.privateLinkConnectionProperties.fqdns) { 
Write-Host "$($ipconfig.properties.privateIPAddress) $($fqdn)"  
$recordName = $fqdn.split('.',2)[0] 
$dnsZone = $fqdn.split('.',2)[1] 
New-AzPrivateDnsRecordSet -Name $recordName -RecordType A -ZoneName "privatelink.database.windows.net"  `
-ResourceGroupName "myResourceGroup" -Ttl 600 `
-PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $ipconfig.properties.privateIPAddress)  
} 
} 

Connect to a VM from the internet

Use Get-AzPublicIpAddress to return the public IP address of a VM. This example returns the public IP address of the myVM VM:

Get-AzPublicIpAddress `
  -Name myPublicIpAddress `
  -ResourceGroupName myResourceGroup `
  | Select IpAddress 

Open a command prompt on your local computer. Run the mstsc command. Replace  with the public IP address returned from the last step:

Note

If you've been running these commands from a PowerShell prompt on your local computer, and you're using the Az PowerShell module version 1.0 or later, you can continue in that interface.

mstsc /v:<publicIpAddress>
  1. If prompted, select Connect.
  2. Enter the user name and password you specified when creating the VM.

Note

You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.

  1. Select OK.
  2. You may receive a certificate warning. If you do, select Yes or Continue.

Access SQL Database Server privately from the VM

  1. In the Remote Desktop of myVM, open PowerShell.

  2. Enter nslookup myserver.database.windows.net.

    You'll receive a message similar to this:

    Server:  UnKnown
    Address:  168.63.129.16
    Non-authoritative answer:
    Name:    myserver.privatelink.database.windows.net
    Address:  10.0.0.5
    Aliases:   myserver.database.windows.net
    
  3. Install SQL Server Management Studio

  4. In Connect to server, enter or select this information: Setting Value Server type Select Database Engine. Server name Select myserver.database.windows.net Username Enter a username provided during creation. Password Enter a password provided during creation. Remember password Select Yes.

  5. Select Connect.

  6. Browse Databases from left menu.

  7. (Optionally) Create or query information from mydatabase

  8. Close the remote desktop connection to myVM.

Clean up resources

When you're done using the private endpoint, SQL Database server and the VM, use Remove-AzResourceGroup to remove the resource group and all the resources it has:

Remove-AzResourceGroup -Name myResourceGroup -Force

Next steps