Create a Private Link service using Azure CLI

This article shows you how to create a Private Link service in Azure using Azure CLI.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

If you decide to install and use Azure CLI locally instead, this quickstart requires you to use the latest Azure CLI version. To find your installed version, run az --version. See Install Azure CLI for install or upgrade info.

Create a resource group

Before you can create a virtual network, you have to create a resource group to host the virtual network. Create a resource group with az group create. This example creates a resource group named myResourceGroup in the westcentralus location:

az group create --name myResourceGroup --location westcentralus

Create a virtual network

Create a virtual network with az network vnet create. This example creates a default virtual network named myVirtualNetwork with one subnet named mySubnet:

az network vnet create --resource-group myResourceGroup --name myVirtualNetwork --address-prefix 10.0.0.0/16  

Create a subnet

Create a subnet for the virtual network with az network vnet subnet create. This example creates a subnet named mySubnet in the myVirtualNetwork virtual network:

az network vnet subnet create --resource-group myResourceGroup --vnet-name myVirtualNetwork --name mySubnet --address-prefixes 10.0.0.0/24    

Create a Internal Load Balancer

Create a internal load balancer with az network lb create. This example creates a internal load balancer named myILB in resource group named myResourceGroup.

az network lb create --resource-group myResourceGroup --name myILB --sku standard --vnet-name MyVirtualNetwork --subnet mySubnet --frontend-ip-name myFrontEnd --backend-pool-name myBackEndPool

Create a load balancer health probe

A health probe checks all virtual machine instances to make sure they can receive network traffic. The virtual machine instance with failed probe checks is removed from the load balancer until it goes back online and a probe check determines that it's healthy. Create a health probe with az network lb probe create to monitor the health of the virtual machines.

  az network lb probe create \
    --resource-group myResourceGroup \
    --lb-name myILB \
    --name myHealthProbe \
    --protocol tcp \
    --port 80   

Create a load balancer rule

A load balancer rule defines the front-end IP configuration for the incoming traffic and the back-end IP pool to receive the traffic, along with the required source and destination port. Create a load balancer rule myHTTPRule with az network lb rule create for listening to port 80 in the frontend pool myFrontEnd and sending load-balanced network traffic to the backend address pool myBackEndPool also using port 80.

  az network lb rule create \
    --resource-group myResourceGroup \
    --lb-name myILB \
    --name myHTTPRule \
    --protocol tcp \
    --frontend-port 80 \
    --backend-port 80 \
    --frontend-ip-name myFrontEnd \
    --backend-pool-name myBackEndPool \
    --probe-name myHealthProbe  

Create backend servers

In this example, we don't cover virtual machine creation. You can follow the steps in Create an internal load balancer to load balance VMs using Azure CLI to create two virtual machines to be used as backend servers for the load balancer.

Private Link service requires an IP from any subnet of your choice within a virtual network. Currently, we don’t support Network Policies on these IPs. Hence, we have to disable the network policies on the subnet. Update the subnet to disable Private Link service network policies with az network vnet subnet update.

az network vnet subnet update --resource-group myResourceGroup --vnet-name myVirtualNetwork --name mySubnet --disable-private-link-service-network-policies true 

Create a Private Link service using Standard Load Balancer frontend IP configuration with az network private-link-service create. This example creates a Private Link service named myPLS using Standard Load Balancer named myLoadBalancer in resource group named myResourceGroup.

az network private-link-service create \
--resource-group myResourceGroup \
--name myPLS \
--vnet-name myVirtualNetwork \
--subnet mySubnet \
--lb-name myILB \
--lb-frontend-ip-configs myFrontEnd \
--location westcentralus 

Once created, take note of the Private Link Service ID. You will need that later for requesting connection to this service.

At this stage, your Private Link service is successfully created and is ready to receive the traffic. Note that above example is only to demonstrate creating Private Link service using Azure CLI. We haven't configured the load balancer backend pools or any application on the backend pools to listen to the traffic. If you want to see end-to-end traffic flows, you are strongly advised to configure your application behind your Standard Load Balancer.

Next, we will demonstrate how to map this service to a private endpoint in different virtual network using Azure CLI. Again, the example is limited to creating the private endpoint and connecting to Private Link service created above using Azure CLI. Additionally, you can create virtual machines in the virtual network to send/receive traffic to the private endpoint.

Private endpoints

Create the virtual network

Create a virtual network with az network vnet create. This example creates a virtual network named myPEVNet in resource group named myResourcegroup:

az network vnet create \
--resource-group myResourceGroup \
--name myPEVnet \
--address-prefix 10.0.0.0/16  

Create the subnet

Create a subnet in virtual network with az network vnet subnet create. This example creates a subnet named mySubnet in virtual network named myPEVnet in resource group named myResourcegroup:

az network vnet subnet create \
--resource-group myResourceGroup \
--vnet-name myPEVnet \
--name myPESubnet \
--address-prefixes 10.0.0.0/24 

Disable private endpoint network policies on subnet

Private endpoint can be created in any subnet of your choice within a virtual network. Currently, we don’t support network policies on private endpoints. Hence, we have to disable the network policies on the subnet. Update the subnet to disable private endpoint network policies with az network vnet subnet update.

az network vnet subnet update \
--resource-group myResourceGroup \
--vnet-name myPEVnet \
--name myPESubnet \
--disable-private-endpoint-network-policies true 

Create a private endpoint for consuming Private Link service created above in your virtual network:  

az network private-endpoint create \
--resource-group myResourceGroup \
--name myPE \
--vnet-name myPEVnet \
--subnet myPESubnet \
--private-connection-resource-id {PLS_resourceURI} \
--connection-name myPEConnectingPLS \
--location westcentralus 

You can get the private-connection-resource-id with az network private-link-service show on Private Link service. The ID will look like:
/subscriptions/subID/resourceGroups/resourcegroupname/providers/Microsoft.Network/privateLinkServices/privatelinkservicename

See connection requests on your Private Link service using az network private-link-service show.

az network private-link-service show --resource-group myResourceGroup --name myPLS 

Next steps