What is Azure Private Link? (Preview)
Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage, Azure Cosmos DB, and SQL Database) and Azure hosted customer/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can also create your own Private Link Service in your virtual network (VNet) and deliver it privately to your customers. The setup and consumption experience using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.
Azure Private Link provides the following benefits:
Privately access services on the Azure platform: Connect your virtual network to services running in Azure privately without needing a public IP address at the source or destination. Service providers can render their services privately in their own virtual network and consumers can access those services privately in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.
On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering/VPN tunnels (from on-premises) and peered virtual networks using private endpoints. There is no need to set up public peering or traverse the internet to reach the service. This ability provides a secure way to migrate workloads to Azure.
Protection against data exfiltration: With Azure Private Link, the private endpoint in the VNet is mapped to a specific instance of the customer's PaaS resource as opposed to the entire service. Using the private endpoint consumers can only connect to the specific resource and not to any other resource in the service. This in built mechanism provides protection against data exfiltration risks.
Global reach: Connect privately to services running in other regions. This means that the consumer's virtual network could be in region A and it can connect to services behind Private Link in region B.
Extend to your own services: Leverage the same experience and functionality to render your own service privately to your consumers in Azure. By placing your service behind a Standard Load Balancer you can enable it for Private Link. The consumer can then connect directly to your service using a Private Endpoint in their own VNet. You can manage these connection requests using a simple approval call flow. Azure Private Link works for consumers and services belonging to different Active Directory tenants as well.
The following table lists the Private Link services and the regions where they are available.
|Scenario||Supported services||Available regions||Status|
|Private Link for customer-owned services||Private Link services behind Standard Load Balancer||All public regions||Preview|
|Private Link for Azure PaaS services||Azure Storage||All public regions||Preview
|Azure Data Lake Storage Gen2||All public regions||Preview
|Azure SQL Database||All public regions||Preview|
|Azure SQL Data Warehouse||All public regions||Preview|
|Azure Cosmos DB||West Central US, WestUS, North Central US||Preview|
|Azure Database for PostgreSQL - Single server||All public regions||Preview|
|Azure Database for MySQL||All public regions||Preview|
|Azure Database for MariaDB||All public regions||Preview|
For the most up-to-date notifications, check the Azure Virtual Network updates page.
Logging and monitoring
Azure Private Link is integrated with Azure Monitor which allows you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs. You can access the following information on Azure Monitor:
Private endpoint: Data processed by the Private Endpoint (IN/OUT)
Private Link service:
- Data processed by the Private Link service (IN/OUT)
- NAT port availability
For pricing details, see Azure Private Link pricing.
For FAQs, see Azure Private Link FAQs.
For limits, see Azure Private Link limits.
- Create a Private Endpoint for SQL Database Server using Portal
- Create a Private Endpoint for SQL Database Server using PowerShell
- Create a Private Endpoint for SQL Database Server using CLI
- Create a Private Endpoint for Storage account using Portal
- Create a Private Endpoint for Azure Cosmos account using Portal
- Create your own Private Link service using Azure PowerShell