Using Private Endpoints

This lesson explains how to securely access Azure PaaS services using:

• Azure Private Endpoint
• Private Endpoints provide true private connectivity to Azure services by assigning them a private IP address inside your Virtual Network.

1️⃣ Why Private Endpoints Exist#

Previously, with Service Endpoints:

• Traffic stayed on Microsoft Backbone
• But still used the public endpoint
• Worked at subnet level
• Applied to all services of a resource provider (e.g., Microsoft.Storage)

Private Endpoints solve:

• ✔ Granular access to specific service instance ✔ Granular access to specific sub-resource (Blob, File, etc.) ✔ Private IP-based connectivity ✔ Hybrid (on-prem) access ✔ Stronger isolation

2️⃣ What a Private Endpoint Does#

When you create a Private Endpoint:

• Azure creates a Network Interface (NIC)
• That NIC gets a private IP
• The PaaS service is “projected” into your VNet

Now your architecture becomes:

• VM → Private IP → Storage Blob

Instead of:

• VM → Public Endpoint → Storage
• It behaves as if the service lives inside your VNet.

3️⃣ Key Differences vs Service Endpoints#

Exam tip:

If question says:

• “Assign private IP to storage” → Private Endpoint
• “Subnet-level backbone routing only” → Service Endpoint

4️⃣ Sub-Resource Targeting (Very Important)#

With Private Endpoint, you select:

For Storage:

• Blob
• File
• Table
• Queue
• DFS
• Web

Example: You can create private endpoint for:

• StorageAccount → Blob only
• This gives granular control.
• Service Endpoints cannot do this.

5️⃣ Demonstration Summary#

Steps performed:

• Created separate subnet: PrivateEndpointSubnet
• Created Private Endpoint from Storage Account

Selected:

• Resource type: Microsoft.Storage
• Specific storage account
• Sub-resource: Blob
• Enabled Private DNS integration

Deployment created:

• Network Interface
• Private IP (e.g., 172.16.0.132)
• Private DNS Zone
• DNS record
• Result: Storage Blob now accessible via private IP.

6️⃣ Private DNS Integration (Critical Concept)#

When enabling Private Endpoint:

Azure automatically creates:

• privatelink.blob.core.windows.net

DNS flow:

• storageaccount.blob.core.windows.net
• → CNAME
• → storageaccount.privatelink.blob.core.windows.net
• → A record → Private IP

This ensures:

• No application changes required
• Same FQDN works
• DNS resolves to private IP internally
• Without private DNS: You must manage DNS manually.

7️⃣ Hybrid Connectivity#

Private Endpoint supports:

• ✔ VNet ✔ Peered VNets ✔ On-prem via VPN Gateway ✔ On-prem via ExpressRoute

Because service now has:

• → Private IP inside VNet
• This is a major advantage over Service Endpoints.

8️⃣ Security Benefits#

Private Endpoints:

• ✔ Remove exposure to public endpoint ✔ Allow disabling public network access ✔ Provide zero-trust architecture ✔ Prevent data exfiltration ✔ Restrict access to specific VNets

Best practice:

After creating Private Endpoint:

Disable:

• Public network access = Disabled
• On the storage account.

9️⃣ Network Interface Creation#

Every Private Endpoint creates:

• A hidden NIC
• With private IP
• In chosen subnet

You can view it under:

• Network Interface resource
• Subnet connected devices
• This NIC consumes an IP address.

🔟 Subnet Considerations#

You may:

• Use existing subnet
• Or create dedicated PrivateEndpointSubnet

Best practice: Create dedicated subnet for:

• Better traffic control
• Easier NSG management
• Cleaner architecture

11️⃣ Advanced: Network Policies#

By default:

Private Endpoint subnet disables:

• Network Security Group policies
• Route table policies
• You can enable network policies if needed.

12️⃣ When to Use Private Endpoint#

Use when:

✔ High security requirement ✔ Need private IP access ✔ Need on-prem access ✔ Want to disable public endpoint ✔ Zero-trust architecture

Use Service Endpoint when: ✔ Simpler setup needed ✔ No hybrid requirement ✔ Moderate security sufficient

13️⃣ Troubleshooting Checklist#

If Private Endpoint not working:

• Check Private DNS zone linked?
• Verify correct sub-resource selected
• Confirm VNet/subnet correct
• Ensure public access disabled only after testing
• Validate DNS resolution inside VM
• Confirm hybrid routing if on-prem

14️⃣ Deep Architecture Understanding#

Private Endpoint uses:

• Azure Private Link

Private Link enables:

• Private connectivity to Azure PaaS
• Private connectivity to third-party services
• Service provider publishing services privately
• Private Endpoint is consumer side of Private Link.

15️⃣ Reference Documentation#

• Private Endpoint Overview
• Private Link Architecture
• DNS with Private Endpoints
• Compare Service Endpoint vs Private Endpoint
• Storage Private Endpoint

Exam Memory Hooks#

Private Endpoint = Private IP for PaaS Creates NIC in VNet Supports hybrid Granular sub-service selection Requires private DNS integration

Final Conceptual Summary#

Service Endpoint:

• Subnet-level backbone routing
• Still public endpoint

Private Endpoint:

• True private IP
• Instance-level isolation
• Hybrid-ready
• Strong security

If you'd like, I can now create:

• 🧠 40 exam-style scenario questions
• 📊 Service Endpoint vs Private Endpoint deep comparison sheet
• 🏗 Hub-Spoke + Hybrid architecture example
• 📄 One-page cram sheet for AZ-104 / AZ-700
• Tell me which certification you're targeting.

Hands-on: Create a Private Endpoint for Storage#

Goal: Access a storage account through a private IP in your VNet.

1. Create a storage account.
2. Create or use VNet az104-vnet with subnet private-endpoints-subnet.
3. Open the storage account and choose Networking > Private endpoint connections.
4. Create a private endpoint for the Blob subresource.
5. Place it in private-endpoints-subnet.
6. Integrate with a private DNS zone when prompted.
7. Disable public network access on the storage account for a stricter test.
8. From a VM in the VNet, resolve the storage account FQDN.
9. Confirm it resolves to a private IP.
10. Access the blob endpoint from inside the VNet.
11. Try access from outside the VNet and confirm it is blocked.

Hands-on: Check Private DNS Integration#

1. Open the private DNS zone created for Blob, usually privatelink.blob.core.windows.net.
2. Confirm an A record exists for the storage account.
3. Open the VNet links and confirm your VNet is linked.
4. From a VM, run nslookup <storage-account>.blob.core.windows.net.
5. Confirm the answer points to the private endpoint IP.