As an Azure administrator or architect, you are sometimes asked the question: “How can we safely deploy internal business applications to Azure App Services?”
These applications characteristically:
- Are not accessible from the public internet.
- Are accessible from within the on-premises corporate network
- Are accessible via an authorized VPN client from outside the corporate network.
For such scenarios, we can use Azure Private Links, which enables private and secure access to Azure PaaS services over Azure Private Endpoints, along with the Site-to-Site VPN, Point-to-Site VPN, or the Express Route. Azure Private Endpoint is a read-only network interface service associated with the Azure PAAS Services. It allows you to bring deployed sites into your virtual network, limiting access to them at the network level.
It uses one of the private IP addresses from your Azure VNet and associates it with the Azure App Services. These services are called Private Link resources. They can be Azure Storage, Azure Cosmos DB, SQL, App Services Web App, your own / partner owned services, Azure Backups, Event Grids, Azure Service Bus, or Azure Automations.
In this article, we will cover the following:
- How are the services secured using Private Endpoints?
- Key Features
- Securing App Services WebApp with Private Endpoint
- Create a Site-to-Site VPN
- Create App Services WebApp
- Test Connection
How are services secured using Private Endpoints?
When using Private Endpoints for the services and applications in Azure, the incoming traffic is restricted to a specific Private Link resource.
Network traffic travels in one direction, from the client to the resource on the Microsoft backbone network. The connection to the resource is validated by the platform for access control.
Using Private Endpoint provides additional security to the Azure resources by providing a built-in exfiltration protection that prevents access to other resources hosted on the same Azure service.
Key Features of Azure Private Endpoints
Some of the key characteristics of Private Endpoints are as below:
- Secure Accessibility – Resources with Private Endpoints are accessible from the consumers within the same virtual network, regionally/globally peered virtual network, as well as on-premises networks using VPN or Express Route.
- Unidirectional Connectivity – Network connections are unidirectional and are initiated by the consumers for the Private Endpoint resource. Connections cannot be initiated from the Private Link resource to the consumers.
- Consistent IP Address – When a Private endpoint is created for a resource, a private IP address from the virtual network is dynamically allocated, which does not change and remains consistent throughout the lifecycle of the resource.
- Same Region Existence – The private endpoint must be deployed in the same region as the virtual network, whereas the private link resource can be deployed in a different region.
- Private Endpoint Limitations – Multiple Private Endpoints can be created within the same virtual network. There can be 1000 Private Endpoints per virtual network and have a maximum of 64000 Private Endpoints per subscription.