Azure Private Link frequently asked questions (FAQ)

  • Azure Private Endpoint: Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. You can use Private Endpoints to connect to an Azure PaaS service that supports Private Link or to your own Private Link Service.
  • Azure Private Link Service: Azure Private Link service is a service created by a service provider. Currently, a Private Link service can be attached to the frontend IP configuration of a Standard Load Balancer.

Traffic is sent privately using Microsoft backbone. It doesn’t traverse the internet.

What is the difference between a Service Endpoints and a Private Endpoints?

  • When using Private Endpoints, network access is granted to specific resources behind a given service providing granular segmentation, also traffic can reach the service resource from on premises without using public endpoints.

Private Endpoint provides access to multiple private link resource types, including Azure PaaS services and your own Private Link Service. It is a one-to-many relationship. One Private Link service can receive connections from multiple private endpoints. On the other hand, one private endpoint can only connect to one Private Link service.

Private Endpoint

Can I create multiple Private Endpoints in same VNet? Can they connect to different Services?

Yes. You can have multiple private endpoints in same VNet or subnet. They can connect to different services.

Do I require a dedicated subnet for private endpoints?

No. You don't require a dedicated subnet for private endpoints. You can choose a private endpoint IP from any subnet from the VNet where your service is deployed.

Yes. Private endpoints can connect to Private Link services or Azure PaaS across AD tenants.

Can private endpoint connect to Azure PaaS resources across Azure regions?

Yes. Private endpoints can connect to Azure PaaS resources across Azure regions.

Your service backends should be in a Virtual network and behind a Standard Load Balancer.

You can scale your Private Link service in a few different ways:

  • Add Backend VMs to the pool behind your Standard Load Balancer
  • Add an IP to the Private Link service. We allow up to 8 IPs per Private Link service.
  • Add new Private Link service to Standard Load Balancer. We allow up to eight Private Link services per load balancer.

Can I connect my service to multiple Private Endpoints?

Yes. One Private Link service can receive connections from multiple Private Endpoints. However one Private Endpoint can only connect to one Private Link service.

You can control the exposure using the visibility configuration on Private Link service. Visibility supports three settings:

  • None - Only subscriptions with RBAC access can locate the service.
  • Restrictive - Only subscriptions that are whitelisted and with RBAC access can locate the service.
  • All - Everyone can locate the service.

No. Private Link service over a Basic Load Balancer is not supported.

No. Private Link service doesn’t require a dedicated subnet. You can choose any subnet in your VNet where your service is deployed.

No. Azure Private Link provides this functionality for you. Hence, you are not required to have non-overlapping address space with your customer's address space.

Next steps