How private endpoint works
Private endpoint allows to establish the communication between a few services using Azure backbone network. While enabling the private endpoint a Nic card and private DNS zone will be created in the same network where other services want to communicate with PaaS services using the Azure backbone network instead of the public network.
By default, Azure services are used to communicate with PaaS services through the Internet.
communication without private endpoint
Once the Private endpoint is established for the service the requests will be processed securely through the internal network.
Communication with private endpoint
Create infra without private endpoint
Let’s create a VM and Storage account and try to access the Storage account from the VM with/without a private endpoint.
- Create a Virtual network named vnet-fygtech
- Example CIDR: 10.0.1.0/16
- Create a Subnet in the same virtual network named as default
- Example CIDR: 10.0.1.0/24
- Create a Virtual machine within the network named fygtechmachine
- Create a Storage account named fygtechstorage
- Create a blog container – testblob1
- Upload a sample file and nslookup the uploaded file URL from the VM.
It will resolve the URL with a public IP (as per the below screenshot: 52.239.***.195. So always VM fetches the files from the storage through the Internet.
Create private endpoint
Navigate to Storage account –> Security+Networking –> select Networking
Select the second tab “Private End Point”. Click on the +Private endpoint button.
Fill in the mandatory fields
- Basic tab:
- Provide resource group name, nic name, and endpoint name
- Select the region (this should match with the network region. Otherwise required existing network won’t be available in the further section to select.)
- Resource Tab:
- Select the target sub resource which should be accessible through a private endpoint.
- For now, select blob, as we uploaded the file in the blob container.
- Virtual Network tab:
- Select the existing network and subnet for which you want to create a nic for the private endpoint.
- Then select remaining as default values. As part of the deployment, it will create a private endpoint and corresponding Nic in the same network, also it will create a private DNS zone to resolve the storage URL internally.
Once the deployment is complete then again lookup the blob container file from the same virtual machine.
As per the below screenshot, the first section ran without a private endpoint, so the URL was resolved with a public IP. The second section ran with the private endpoint. so it was resolved with a private ip (Nic ip, which was created when the private endpoint was created)