Azure Networking – #11 – Azure Private Link


one of the things that we have to stay
on top of constantly in IT is security now this is of course true in the cloud
as well and in Azure our basic layer of security revolves around our virtual
network each network in Azure creates a isolation but over time it has grown
more and more complex in the cloud so we’ve had to add more and more services
to accommodate for it and as the world extends from I as into path services we
need to be able to link the two together in a way that’s going to give us that
layer of security that we need and we don’t have issues like data exfiltration
so we’re going to talk about network security for a little bit here as we
Zone in on a sure private link I’m Dean Cefola and this is the Azure
Academy so there’s a lot of services that we need to cover so you can
understand how private link fits into the ecosystem of azor so let’s jump into
our Docs and get started so in our Docs page we’ll go to products
and then go down the table of contents to networking and then at the bottom
here we see private link and in the table of contents here we’ll click this
link for what is private link so this diagram is gonna help us out here we
have platform-as-a-service items in Azure this is things like Azure database
or cosmos database key vault as your storage etc and all of these services
all have internet-facing endpoints so when you want to talk to
Azure storage you’re actually communicating with the internet endpoint
of that storage after some feedback from customers we found that everyone wanted
a secure way to get there from Azure directly without having to go down and
around out through the internet so we came up with a technology that’s called
service endpoints and that is something that you set up on your virtual network
for every subnet that you want to have doing this and you can have the service
basically hairpin the traffic through Azure secure network address translation
to go to the service it still hits the public facing endpoint but it does so
from Azure directly on our backbone private link is different it actually
takes that service and projects a virtual network card inside and you get
a actual IP address and that in this case is 10.1.1.10 –tz– this Azure
service so when I want to hit this Azure service now I can’t go to the public
internet endpoint the only way to get there is from this internal network IP
address now that works out just fine in normal Azure routing because my spokes
know how to route to it my on-prem knows how to route to it all I have to do is
hit this private IP address and I get to that service so let’s take a look at
this inside the azure portal so in the portal at the top here we’re gonna
search for the word private and then we’re going to click on private link so
this is the private link Center and then down at the bottom here we’ve got three
different options to help us get started this first one
would be to connect to existing resources with a private link build new
resources with a private link or expose resources so that others can get to them
now when we do this they must be behind a standard Azure load balancer we’ll get
into all three of these scenarios and over on the left side we’ve got our
pending connections this will become more important in a few minutes our
private endpoints themselves the private link service and then the different
resources that can be enabled at the moment and more of these will be coming
over time so let’s start building so our first start button here is to
build a private connection to resources that already exist so let’s start there
in my subscription I’ll select my resource group where I’ve got my stuff
and then we’ll give it a name and I’ll call it private key vault 0 1 we’ll go
to the resources and then we’ll select our resource type of a key vault and
then we’ll select our key vault that is in the private link resource group which
is called private vault 0:01 this sub resource is the specific
kind of resource that this private endpoint will be able to access in this
case a vault and then we’ll hit next for our configuration and we have to now
attach it to a subnet in a virtual network so I’ll use my DMZ subnet for
this and now we have a additional option where we can integrate this with Azure
private DNS so if you choose not to you just toggle this to no but I’ll leave
this on yes and it’s going to spin up a new zone for us called private link dot
vault coronet we’ll hit next and add the appropriate tags and we’ve added one for
our cost center so we know who’s paying for this our application here is private
link we’re in a lab environment and we’re doing this for the IT department
and we’ll hit next and we have the ability to review what it is that we’re
going to create and we can also check our arm template to see what that all
looks like and we have three resources that will be provisioned here and you
can save that template for later use and we’ll hit create in the private link Center let’s see
what we’ve got so we’ve got a new private endpoint here or our key vault
and if you click on that it takes you to the private link directly and then under
our particular kind of resource we go to key vault and we can see our vault here
in which we can click on and get into the vault itself so back in the overview
screen let’s go to the second Start button here and this will allow us to
provision resources with the private link enabled so let’s provision in an
address equal database and we’ll put it in a resource group of private link and
we’ll give it a name and we’ll call it private sequel DB 0 1 and I’m creating a
new sequel server for this and I’ve set the compute to be service so hit next
and now we have our network access and our options here are no network access
turn on our public endpoint or use our private link endpoint it will add the
private endpoint here and I’ll just call this private access 0 and for our sub
resource type we only have the choice of a sequel server and we’ll put this on
our DMZ as well and we’ll create a new DNS zone for this as well and it’ll be
private link database that windows net well hit OK and then we’ll hit next and
we’ll just leave our additional settings as default and go to our tags and our
cost center is here so we know who’s paying for this it’s a private link
application in the lab and this time our business unit is for the accounting
department and we’ll hit next and then of course we can review our arm template
as well you can save that one for yourself and we’ll hit create
or a sequel server has finished building and we have the same types of resources
at it now we’ve got our network card that has our IP address our private DNS
zone a private endpoint and of course our sequel server and sequel database so
let’s go back to the private link center and under our private endpoints we can
see we’ve got our sequel our key vault and in the background I added one for
our storage account around Azure files and they’re all located in that DMZ
subnet and then of course we can look at each one of them here individually just
like we did the key ball so that’s going through and provisioning private link on
top of resources that already exists or creating new resources with private link
enabled and that brings us to the third and that is to expose services of our
own that private link can use and this does need to be behind a standard load
balancer and this is where we’re going to get into the private link service and
pending connections so let’s see how this goes so we need to provision a
resource again in our resource group and we’ll put that in the east us and we’ll
hit next for our outbound settings and here’s where we select our load balancer
and then our load balancer front end IP as well as the NAT information and we
mouse over the tooltip here so the subnet where the NAT IP will be
allocated to your service so we want this in the DMZ and in this next section
for the private IP allocation we have the option of setting static numbers of
IPs or we can let this be dynamic in allocation it depends on what kind of
service you’re hosting here as to which path you would choose I’m doing a
website so I don’t know what the number of connections is going to be so I’ll
leave it at dynamic and we’ll hit next for our security and now we have to
decide how our consumers will be getting access to this so we can do this by our
back or by anyone using my alias or I’ll be choosing this one because it gives me
the option to control things at a subscription level as you’ll see in a
second so we need to add our subscriptions that we want to give
access to here and if you have multiple separate them by a comma I’ve added
three subscriptions here and we’ll hit OK
and even though I entered all subscription IDs because my login is
directly tied to these two subscriptions it resolves their names now I’m going to
set this subscription where I’m hosting the service to Auto approve but these
other two I’m going to not Auto approve so we can see what both experiences look
like and we’ll hit next and then we need to add our tags and the unique one here
is we’ve created a new business unit for the sales team and we’ll just hit next
and you can review everything on the list and also look at our arm template
which we’ll do because this is something different so the resource that we’re
provisioning here is the private link service and that will then add explicit
visibility to my private link endpoint to these particular subscriptions with
this one in particular being set to auto approve and then it gives us our load
balancer config that we entered and then updates our as your subnet here to build
our new private link just like we did in the other ones so we’ll hit create
– back in the private links Center we’ve got our private link service now set up
here and if we click on that the different items that are here so we’ve
got our private endpoint connections we don’t have any just yet what our current
net configuration is and what our access policies are if we need to change those
and we also have up here the alias and this is important this is basically the
token that we give to somebody which is going to give them access to our service
so now that we’ve set up all these things let’s get to see them in action
so we start off with our private link service and I’ve got a VM that’s up and
running so I’m in that third subscription that we added and I’ve got
my virtual machine here in another resource group also called private link
and I’ve built myself a virtual network where my resources are set up and you
can see our address space here is 100 0 dot 0 dot 0 we’ve got our VM here with a
dot 68 IP address and if we look at the private link center and we go under our
pending connections we don’t have anything private endpoints private
service link nothing in this environment is set up at present I’m logged in here
through Azure Bastion and my VM that’s hosting the web server is 12.0.0 dot 68
when I open my web browser to that address you can see that here is my
website so I’m on 12.0.0 dot 68 so let me see if I can reach that from my other
VMs environment I’ll open my web browser and go to 12.0.0 that’s 68 and you can
see this does not work now I know you might be thinking well it’s because the
V nuts aren’t paired together so you can’t get there well this is exactly the
point because this particular VM where I’m hosting the web server does not have
a public internet point at all so it’s a private service not hosted off the
public Internet hosted behind private link in Azure so I can’t get there but
if I use the private link service I can back in the private link center where I
have my private service set up I’ll copy my alias and I’ll give it to my customer
who I want to have access my services and I’ll go to create a new private
endpoint and I’ll put that in my private link resource group and given a name and
I’ll call it service I want to use and hit next for the resource and here is
where I select a resource ID or alias and I can paste in the alias that I got
from my vendor and then I can write a message here and then we can hit next
and then we have to give this a place on our network and we’ll do that in our DMZ
and then we’ll hit next and add the appropriate tags and to keep it simple
we’ll just add a customer money cost center tag and hit next and then we’ll
hit create back in our customers private link
Center we go under private endpoints and here is our target endpoint and if we
click on that this is an actual private endpoint in our subscription that is
currently awaiting approval so let’s go back to our private link center in our
primary subscription and approve it and if we go under our pending connections
here it is and it is awaiting approval so if we click on this and we can hit
approve here which will then allow the service to have access and now that
that’s been approved it disappears here from our pending connections but we can
find it under the private link service and there is our private link endpoint
connection and we see here that our status is currently approved this
service is ready to use if we do want to get rid of this we can click on the
check box here and hit reject or remove depending on what state we want that in
and let’s look at the customer experience and on the customer side we
see that our state is now approved as well so now in order to connect to this
we have to discover what our IP address is for our private link and that shows
here as 100.0 that’s 0.4 so we’re logged on to our Windows VM again and this is
the VM in our consumer environment and you can see that from our IP address
here of 100 0.02 68 and the name of our VM is consumer BM 1 we want to connect
now to our private link service so we can’t use this IP because that’s
inaccessible to us we can use the IP of our private endpoint in our consumer
environment and that was 100.0 that’s 0.4 so let’s change our IP here and I’ll
make this fullscreen and let’s run that and there we go we are now looking at
private VM 1 as your rocks so that’s the private link service but now let’s take
a look at the other two scenarios so one of the services that we spun up earlier
was our sequel server and we want to take a look at what this guy is doing
and we’ll go to our sequel database and in the database we’ll go to our
connection strings so we want to just do a test here so we’ll do it quickly over
ODBC and I’ve already downloaded the driver and this is my
DBC connector on my local system and have already made an entry here named it
private sequel and the description is private link and we’re going to connect
to our a sure sequel database and we click Next and then I have to provide my
credentials for sequel off and then we’ll click Next and so I’ll check the
box here to find the default database and when we do we get a connection
failed error because we can’t communicate with this now I do know the
name of the database from online so I’ll just put that in here anyway so we’ll
hit next we can leave strong encryption enabled
and just hit finish and then test our data and our connection fails again so
we cannot connect to our Azure sequel from here but from our bastion host
through our private link and we’ll run the same ODBC connection from here and
going to the same server and I’ll put in the creds and we’ll hit next and there
is our database that I’ve already put in if I hit the drop down arrow here it
doesn’t complain we can see the master and the primary database and so I’ll
finish and test my datasource and the test is completed successfully so we can
get to it over our private link so in our private link Center we had a Azure
storage account that was set up I’ll open that and I’ll go to the file share
and I’ve got a private share here where I’ve got a couple files and we’ll go to
click the connect string I’ll copy this data and open us up in PowerShell so
here’s my Windows File Explorer on my local computer and I do not have a map
network drive setup we’re gonna map this to the z drive here so if I try to go to
the z drive it says that it’s not a valid name and then I can run these
commands and it still does not work but I can go back to my bastion host and
again just to show you that we do not have a map drive on this machine and
I’ll check it again through here and note that Drive does not exist but I can
run this command and now the drive is mapped and I can get to my files the
hope that you’ve enjoyed looking at this video on Azure private link how we could
make our Azure services seem like private endpoints within our environment
to make them more secure and we can also provide those services
to our customers and other consumers as a way to increase your network security
and also be able to leverage those past services so if you thought that this
video was good please do click on the thumbs up and click on the subscribe
button while you’re down there and join us here at the Azure Academy community
and that does a few things it basically lets the YouTube algorithm know that
you’re interested in our content that you like it and it should be shared with
others it also helps us out and it lets us know that you appreciate what it is
we’re doing here is we just try to help you all learn more about azor and if you
have some comments about this video or a suggestion for a new topic please give
me some comments down below on that and this video was requested by several
members in our community so thanks very much for your feedback and please let us
know what else you’d like us to create for you and we’ll be happy to do that
thanks very much for joining us and we’ll see you in the next video happy
learning

Leave a Reply

Your email address will not be published. Required fields are marked *