What is a Private Endpoint?#
A Private Endpoint in Azure allows you to connect to Azure services (like Storage, SQL, CosmosDB, etc.) over a private IP inside your Azure Virtual Network (VNet), instead of using the public internet.
Think of it as a private IP address for an Azure service. This ensures:
No traffic goes over the internet
Improved security (zero public exposure)
You can apply NSG, firewall, and custom routing
When to Use Private Endpoints?
Scenario Private Endpoint Recommended?
Critical data (PII, financial, healthcare) Yes
Internal line-of-business apps Yes
Public APIs serving global customers No — consider public endpoint
Hybrid network (on-premises + Azure) Yes
Regulatory/compliance (GDPR, HIPAA, PCI) Yes
Common Use Cases:
Azure Storage Account
Azure SQL Database
Azure Cosmos DB
Azure App Services (via Private Link)
Azure Key Vault
Step-by-Step Example: Secure a Storage Account with Private Endpoint
a) Prerequisites
Azure Subscription
Existing Virtual Network (VNet)
Existing Storage Account
b) Architecture Diagram
Azure VNet → Subnet (10.0.1.0/24) → Private IP (e.g. 10.0.1.5) for Storage Account → Private Endpoint → VNet
c) Step 1: Create a Private Endpoint
CLI Example:
Variables
RG_NAME="demo-rg"
VNET_NAME="demo-vnet"
SUBNET_NAME="demo-subnet"
STORAGE_NAME="mystorageaccountxyz"
Create Private Endpoint
az network private-endpoint create \
--resource-group $RG_NAME \
--name pe-storage \
--vnet-name $VNET_NAME \
--subnet $SUBNET_NAME \
--private-connection-resource-id $(az storage account show --name $STORAGE_NAME --query id -o tsv) \
--group-id blob \
--connection-name pe-conn-storage
d) Step 2: Create Private DNS Zone
az network private-dns zone create \
--resource-group $RG_NAME \
--name "privatelink.blob.core.windows.net"
Link the DNS zone with your VNet
az network private-dns link vnet create \
--resource-group $RG_NAME \
--zone-name "privatelink.blob.core.windows.net" \
--name "dns-link-storage" \
--virtual-network $VNET_NAME \
--registration-enabled false
Add A record for Storage Account
az network private-dns record-set a create \
--name $STORAGE_NAME \
--zone-name "privatelink.blob.core.windows.net" \
--resource-group $RG_NAME
Tip: Auto-managed if you use Azure Portal Private Link center.
e) Step 3: Restrict Public Network Access
az storage account update \
--name $STORAGE_NAME \
--resource-group $RG_NAME \
--default-action Deny
Now, only traffic from the private endpoint in VNet is allowed!
Testing with Private IP Only
a) From VM inside VNet
nslookup should resolve to private IP
nslookup mystorageaccountxyz.blob.core.windows.net
Test connectivity
curl https://mystorageaccountxyz.blob.core.windows.net
b) From outside VNet (should fail)
From your laptop or public IP
curl https://mystorageaccountxyz.blob.core.windows.net
Expected: Access denied or timeout
Summary
Private Endpoints help you securely access Azure services inside your VNet
No public IP needed
Great for internal, sensitive, or regulated workloads
Works across Azure Storage, SQL, CosmosDB, Key Vault, App Services, and more
Top comments (1)
nice article
Try to use the code formatting for Azure CLI code for a better reading