DEV Community

kasi suresh
kasi suresh

Posted on

Azure Private Endpoints for Secure Networking

What is a Private Endpoint?#

A Private Endpoint in Azure allows you to connect to Azure services (like Storage, SQL, CosmosDB, etc.) over a private IP inside your Azure Virtual Network (VNet), instead of using the public internet.

Think of it as a private IP address for an Azure service. This ensures:

No traffic goes over the internet
Improved security (zero public exposure)
You can apply NSG, firewall, and custom routing
When to Use Private Endpoints?

Scenario Private Endpoint Recommended?
Critical data (PII, financial, healthcare) Yes
Internal line-of-business apps Yes
Public APIs serving global customers No — consider public endpoint
Hybrid network (on-premises + Azure) Yes
Regulatory/compliance (GDPR, HIPAA, PCI) Yes
Common Use Cases:

Azure Storage Account
Azure SQL Database
Azure Cosmos DB
Azure App Services (via Private Link)
Azure Key Vault
Step-by-Step Example: Secure a Storage Account with Private Endpoint

a) Prerequisites

Azure Subscription
Existing Virtual Network (VNet)
Existing Storage Account
b) Architecture Diagram

Azure VNet → Subnet (10.0.1.0/24) → Private IP (e.g. 10.0.1.5) for Storage Account → Private Endpoint → VNet

c) Step 1: Create a Private Endpoint

CLI Example:

Variables

RG_NAME="demo-rg"
VNET_NAME="demo-vnet"
SUBNET_NAME="demo-subnet"
STORAGE_NAME="mystorageaccountxyz"

Create Private Endpoint

az network private-endpoint create \
--resource-group $RG_NAME \
--name pe-storage \
--vnet-name $VNET_NAME \
--subnet $SUBNET_NAME \
--private-connection-resource-id $(az storage account show --name $STORAGE_NAME --query id -o tsv) \
--group-id blob \
--connection-name pe-conn-storage

d) Step 2: Create Private DNS Zone

az network private-dns zone create \
--resource-group $RG_NAME \
--name "privatelink.blob.core.windows.net"

Link the DNS zone with your VNet

az network private-dns link vnet create \
--resource-group $RG_NAME \
--zone-name "privatelink.blob.core.windows.net" \
--name "dns-link-storage" \
--virtual-network $VNET_NAME \
--registration-enabled false

Add A record for Storage Account

az network private-dns record-set a create \
--name $STORAGE_NAME \
--zone-name "privatelink.blob.core.windows.net" \
--resource-group $RG_NAME
Tip: Auto-managed if you use Azure Portal Private Link center.

e) Step 3: Restrict Public Network Access
az storage account update \
--name $STORAGE_NAME \
--resource-group $RG_NAME \
--default-action Deny
Now, only traffic from the private endpoint in VNet is allowed!
Testing with Private IP Only

a) From VM inside VNet

nslookup should resolve to private IP

nslookup mystorageaccountxyz.blob.core.windows.net

Test connectivity

curl https://mystorageaccountxyz.blob.core.windows.net
b) From outside VNet (should fail)

From your laptop or public IP

curl https://mystorageaccountxyz.blob.core.windows.net

Expected: Access denied or timeout

Summary

Private Endpoints help you securely access Azure services inside your VNet
No public IP needed
Great for internal, sensitive, or regulated workloads
Works across Azure Storage, SQL, CosmosDB, Key Vault, App Services, and more

Top comments (1)

Collapse
 
omiossec profile image
Olivier Miossec

nice article
Try to use the code formatting for Azure CLI code for a better reading