What is Azure Private Link?

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.

Important

Azure Private Link is now generally available. Both Private Endpoint and Private Link service (service behind standard load balancer) are generally available. Different Azure PaaS will onboard to Azure Private Link at different schedules. Check availability section below for accurate status of Azure PaaS on Private Link. For known limitations, see Private Endpoint and Private Link Service.

Private endpoint overview

Key benefits

Azure Private Link provides the following benefits:

  • Privately access services on the Azure platform: Connect your virtual network to services in Azure without a public IP address at the source or destination. Service providers can render their services in their own virtual network and consumers can access those services in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.

  • On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints. There's no need to set up public peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure.

  • Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides protection against data leakage risks.

  • Global reach: Connect privately to services running in other regions. The consumer's virtual network could be in region A and it can connect to services behind Private Link in region B.

  • Extend to your own services: Enable the same experience and functionality to render your service privately to consumers in Azure. By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link. The consumer can then connect directly to your service using a private endpoint in their own virtual network. You can manage the connection requests using an approval call flow. Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants.

Availability

The following table lists the Private Link services and the regions where they're available.

Supported services Available regions Additional considerations Status
Private Link services behind standard Azure Load Balancer All public regions Supported on Standard Load Balancer GA
Learn more
Azure Storage All public regions Supported on Account Kind General Purpose V2 GA
Learn more
Azure Data Lake Storage Gen2 All public regions Supported on Account Kind General Purpose V2 GA
Learn more
Azure SQL Database All public regions Supported for Proxy connection policy GA
Learn more
Azure Synapse Analytics (SQL Data Warehouse) All public regions Supported for Proxy connection policy GA
Learn more
Azure Cosmos DB All public regions GA
Learn more
Azure Database for PostgreSQL - Single server All public regions GA
Learn more
Azure Database for MySQL All public regions GA
Learn more
Azure Database for MariaDB All public regions GA
Learn more
Azure Key Vault All public regions GA
Learn more
Azure Kubernetes Service - Kubernetes API All public regions GA
Learn more
Azure Search All public regions GA
Learn more
Azure Container Registry All public regions Supported with premium tier of container registry Click for tiers GA
Learn more
Azure App Configuration All public regions Preview
Azure Backup All public regions GA
Learn more
Azure Event Hub All public regions GA
Learn more
Azure Service Bus All public regions Supported with premium tier of Azure Service Bus. Click for tiers GA
Learn more
Azure Relay All public regions Preview
Learn more
Azure Event Grid All public regions GA
Learn more
Azure Web Apps All public regions Preview
Learn more
Azure Machine Learning EAST US, WEST US 2, SOUTH CENTRAL US Preview
Learn more
Azure Automation All public regions Preview
Azure IoT Hub All public regions GA
Learn more
Azure SignalR EAST US, WEST US 2, SOUTH CENTRAL US Preview
Learn more
Azure Monitor
(Log Analytics & Application Insights)
All public regions GA
Learn more

For the most up-to-date notifications, check the Azure Private Link updates page.

Logging and monitoring

Azure Private Link has integration with Azure Monitor. This combination allows:

  • Archival of logs to a storage account.
  • Streaming of events to your Event Hub.
  • Azure Monitor logging.

You can access the following information on Azure Monitor:

  • Private endpoint:

    • Data processed by the Private Endpoint  (IN/OUT)
  • Private Link service:

    • Data processed by the Private Link service (IN/OUT)
    • NAT port availability

Pricing

For pricing details, see Azure Private Link pricing.

FAQs

For FAQs, see Azure Private Link FAQs.

Limits

For limits, see Azure Private Link limits.

Service Level Agreement

For SLA, see SLA for Azure Private Link.

Next steps