What is Azure Private Link? (Preview)

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage, Azure Cosmos DB, and SQL Database) and Azure hosted customer/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can also create your own Private Link Service in your virtual network (VNet) and deliver it privately to your customers. The setup and consumption experience using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.


This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the Supplemental Terms of Use for Microsoft Azure Previews for details. For known limitations, see Private Endpoint and Private Link Service.

Private endpoint overview

Key benefits

Azure Private Link provides the following benefits:

  • Privately access services on the Azure platform: Connect your virtual network to services running in Azure privately without needing a public IP address at the source or destination. Service providers can render their services privately in their own virtual network and consumers can access those services privately in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.

  • On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering/VPN tunnels (from on-premises) and peered virtual networks using private endpoints. There is no need to set up public peering or traverse the internet to reach the service. This ability provides a secure way to migrate workloads to Azure.

  • Protection against data exfiltration: With Azure Private Link, the private endpoint in the VNet is mapped to a specific instance of the customer's PaaS resource as opposed to the entire service. Using the private endpoint consumers can only connect to the specific resource and not to any other resource in the service. This in built mechanism provides protection against data exfiltration risks.

  • Global reach: Connect privately to services running in other regions. This means that the consumer's virtual network could be in region A and it can connect to services behind Private Link in region B.

  • Extend to your own services: Leverage the same experience and functionality to render your own service privately to your consumers in Azure. By placing your service behind a Standard Load Balancer you can enable it for Private Link. The consumer can then connect directly to your service using a Private Endpoint in their own VNet. You can manage these connection requests using a simple approval call flow. Azure Private Link works for consumers and services belonging to different Active Directory tenants as well.


The following table lists the Private Link services and the regions where they are available.

Scenario Supported services Available regions Status
Private Link for customer-owned services Private Link services behind Standard Load Balancer All public regions Preview
Private Link for Azure PaaS services Azure Storage All public regions Preview
Learn more.
Azure Data Lake Storage Gen2 All public regions Preview
Learn more.
Azure SQL Database All public regions Preview
Azure SQL Data Warehouse All public regions Preview
Azure Cosmos DB West Central US, WestUS, North Central US Preview
Azure Database for PostgreSQL - Single server All public regions Preview
Azure Database for MySQL All public regions Preview
Azure Database for MariaDB All public regions Preview

For the most up-to-date notifications, check the Azure Virtual Network updates page.

Logging and monitoring

Azure Private Link is integrated with Azure Monitor which allows you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs. You can access the following information on Azure Monitor:

  • Private endpoint: Data processed by the Private Endpoint  (IN/OUT)

  • Private Link service:

    • Data processed by the Private Link service (IN/OUT)
    • NAT port availability


For pricing details, see Azure Private Link pricing.


For FAQs, see Azure Private Link FAQs.


For limits, see Azure Private Link limits.

Next steps