Quickstart: Create a Private Endpoint using the Azure portal
Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.
In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.
Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.
Prerequisites
- An Azure account with an active subscription. Create an account for free.
- An Azure Web App with a PremiumV2-tier or higher app service plan deployed in your Azure subscription.
- For more information and an example, see Quickstart: Create an ASP.NET Core web app in Azure.
- For a detailed tutorial on creating a web app and an endpoint, see Tutorial: Connect to a web app using an Azure Private Endpoint.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
Create a virtual network and bastion host
In this section, you'll create a virtual network, subnet, and bastion host.
The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.
In Create virtual network, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select CreatePrivateEndpointQS-rg Instance details Name Enter myVNet Region Select West Europe. Select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the page.
In the IP Addresses tab, enter this information:
Setting Value IPv4 address space Enter 10.1.0.0/16 Under Subnet name, select the word default.
In Edit subnet, enter this information:
Setting Value Subnet name Enter mySubnet Subnet address range Enter 10.1.0.0/24 Select Save.
Select the Security tab.
Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost AzureBastionSubnet address space Enter 10.1.1.0/24 Public IP Address Select Create new. For Name, enter myBastionIP. Select OK. Select the Review + create tab or select the Review + create button.
Select Create.
Create a virtual machine
In this section, you'll create a virtual machine that will be used to test the private endpoint.
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine or search for Virtual machine in the search box.
In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select CreatePrivateEndpointQS-rg Instance details Virtual machine name Enter myVM Region Select West Europe. Availability Options Select No infrastructure redundancy required Image Select Windows Server 2019 Datacenter - Gen1 Azure Spot instance Select No Size Choose VM size or take default setting Administrator account Username Enter a username Password Enter a password Confirm password Reenter password Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network myVNet Subnet mySubnet Public IP Select None. NIC network security group Basic Public inbound ports Select None. Select Review + create.
Review the settings, and then select Create.
Note
Azure provides an default outbound access IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
For more information about default outbound access, see Default outbound access in Azure
The default outbound access IP is disabled when a public IP address is assigned to the virtual machine, or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is disabled.
Virtual machines created by Virtual Machine Scale sets in Flexible Orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.
Create a Private Endpoint
In this section, you'll create a Private Endpoint for the web app you created in the prerequisites section.
On the upper-left side of the screen in the portal, select Create a resource > Networking > Private Link, or in the search box enter Private Link.
Select Create.
In Private Link Center, select Private endpoints in the left-hand menu.
In Private endpoints, select + Add.
In the Basics tab of Create a private endpoint, enter, or select this information:
Setting Value Project details Subscription Select your subscription. Resource group Select CreatePrivateEndpointQS-rg. You created this resource group in the previous section. Instance details Name Enter myPrivateEndpoint. Region Select West Europe. Select the Resource tab or the Next: Resource button at the bottom of the page.
In Resource, enter or select this information:
Setting Value Connection method Select Connect to an Azure resource in my directory. Subscription Select your subscription. Resource type Select Microsoft.Web/sites. Resource Select <your-web-app-name>. Select the name of the web app you created in the prerequisites. Target sub-resource Select sites. Select the Configuration tab or the Next: Configuration button at the bottom of the screen.
In Configuration, enter or select this information:
Setting Value Networking Virtual network Select myVNet. Subnet Select mySubnet. Private DNS integration Integrate with private DNS zone Leave the default of Yes. Subscription Select your subscription. Private DNS zones Leave the default of (New) privatelink.azurewebsites.net. Select Review + create.
Select Create.
Test connectivity to private endpoint
In this section, you'll use the virtual machine you created in the previous step to connect to the web app across the private endpoint.
Select Resource groups in the left-hand navigation pane.
Select CreatePrivateEndpointQS-rg.
Select myVM.
On the overview page for myVM, select Connect then Bastion.
Select the blue Use Bastion button.
Enter the username and password that you entered during the virtual machine creation.
Open Windows PowerShell on the server after you connect.
Enter
nslookup <your-webapp-name>.azurewebsites.net. Replace <your-webapp-name> with the name of the web app you created in the previous steps. You'll receive a message similar to what is displayed below:Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: mywebapp8675.privatelink.azurewebsites.net Address: 10.1.0.5 Aliases: mywebapp8675.azurewebsites.netA private IP address of 10.1.0.5 is returned for the web app name. This address is in the subnet of the virtual network you created previously.
In the bastion connection to myVM, open Internet Explorer.
Enter the url of your web app, https://<your-webapp-name>.azurewebsites.net.
You'll receive the default web app page if your application hasn't been deployed:
Close the connection to myVM.
Clean up resources
If you're not going to continue to use this application, delete the virtual network, virtual machine, and web app with the following steps:
From the left-hand menu, select Resource groups.
Select CreatePrivateEndpointQS-rg.
Select Delete resource group.
Enter CreatePrivateEndpointQS-rg in TYPE THE RESOURCE GROUP NAME.
Select Delete.
Next steps
In this quickstart, you created a:
- Virtual network and bastion host.
- Virtual machine.
- Private endpoint for an Azure Web App.
You used the virtual machine to test connectivity securely to the web app across the private endpoint.
For more information on the services that support a private endpoint, see: