- Article
- 7 minutes to read
Get started with Azure Private Link by using a private endpoint to connect securely to an Azure web app.
In this quickstart, you'll create a private endpoint for an Azure web app and then create and deploy a virtual machine (VM) to test the private connection.
You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.
Prerequisites
An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.
An Azure web app with a PremiumV2-tier or higher app service plan, deployed in your Azure subscription.
For more information and an example, see Quickstart: Create an ASP.NET Core web app in Azure.
The example webapp in this article is named myWebApp1979. Replace the example with your webapp name.
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install the Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Create a resource group
An Azure resource group is a logical container where Azure resources are deployed and managed.
Create a resource group with New-AzResourceGroup:
New-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg' -Location 'eastus'Create a virtual network and bastion host
A virtual network and subnet is required for to host the private IP address for the private endpoint. You'll create a bastion host to connect securely to the virtual machine to test the private endpoint. You'll create the virtual machine in a later section.
In this section, you'll:
Create a virtual network with New-AzVirtualNetwork
Create subnet configurations for the backend subnet and the bastion subnet with New-AzVirtualNetworkSubnetConfig
Create a public IP address for the bastion host with New-AzPublicIpAddress
Create the bastion host with New-AzBastion
## Configure the back-end subnet. ##$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.1.0.0/24## Create the Azure Bastion subnet. ##$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.1.1.0/24## Create the virtual network. ##$net = @{ Name = 'MyVNet' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' AddressPrefix = '10.1.0.0/16' Subnet = $subnetConfig, $bastsubnetConfig}$vnet = New-AzVirtualNetwork @net## Create the public IP address for the bastion host. ##$ip = @{ Name = 'myBastionIP' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' Sku = 'Standard' AllocationMethod = 'Static' Zone = 1,2,3}$publicip = New-AzPublicIpAddress @ip## Create the bastion host. ##$bastion = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'myBastion' PublicIpAddress = $publicip VirtualNetwork = $vnet}New-AzBastion @bastion -AsJobCreate a private endpoint
An Azure service that supports private endpoints is required to set up the private endpoint and connection to the virtual network. For the examples in this article, we're using an Azure WebApp from the prerequisites. For more information on the Azure services that support a private endpoint, see Azure Private Link availability.
A private endpoint can have a static or dynamically assigned IP address.
Important
You must have a previously deployed Azure WebApp to proceed with the steps in this article. For more information, see Prerequisites.
In this section, you'll:
Create a private link service connection with New-AzPrivateLinkServiceConnection.
Create the private endpoint with New-AzPrivateEndpoint.
Optionally create the private endpoint static IP configuration with New-AzPrivateEndpointIpConfiguration.
- Dynamic IP
- Static IP
## Place the previously created webapp into a variable. ##$webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg -Name myWebApp1979## Create the private endpoint connection. ## $pec = @{ Name = 'myConnection' PrivateLinkServiceId = $webapp.ID GroupID = 'sites'}$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec## Place the virtual network you created previously into a variable. ##$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'## Create the private endpoint. ##$pe = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'myPrivateEndpoint' Location = 'eastus' Subnet = $vnet.Subnets[0] PrivateLinkServiceConnection = $privateEndpointConnection}New-AzPrivateEndpoint @peConfigure the private DNS zone
A private DNS zone is used to resolve the DNS name of the private endpoint in the virtual network. For this example, we're using the DNS information for an Azure WebApp, for more information on the DNS configuration of private endpoints, see Azure Private Endpoint DNS configuration.
In this section, you'll:
Create a new private Azure DNS zone with New-AzPrivateDnsZone
Link the DNS zone to the virtual network you created previously with New-AzPrivateDnsVirtualNetworkLink
Create a DNS zone configuration with New-AzPrivateDnsZoneConfig
Create a DNS zone group with New-AzPrivateDnsZoneGroup
## Place the virtual network into a variable. ##$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'## Create the private DNS zone. ##$zn = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'privatelink.azurewebsites.net'}$zone = New-AzPrivateDnsZone @zn## Create a DNS network link. ##$lk = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' ZoneName = 'privatelink.azurewebsites.net' Name = 'myLink' VirtualNetworkId = $vnet.Id}$link = New-AzPrivateDnsVirtualNetworkLink @lk## Configure the DNS zone. ##$cg = @{ Name = 'privatelink.azurewebsites.net' PrivateDnsZoneId = $zone.ResourceId}$config = New-AzPrivateDnsZoneConfig @cg## Create the DNS zone group. ##$zg = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' PrivateEndpointName = 'myPrivateEndpoint' Name = 'myZoneGroup' PrivateDnsZoneConfig = $config}New-AzPrivateDnsZoneGroup @zgCreate a test virtual machine
To verify the static IP address and the functionality of the private endpoint, a test virtual machine connected to your virtual network is required.
In this section, you'll:
Create a sign-in credential for the virtual machine with Get-Credential
Create a network interface for the virtual machine with New-AzNetworkInterface
Create a virtual machine configuration with New-AzVMConfig, Set-AzVMOperatingSystem, Set-AzVMSourceImage, and Add-AzVMNetworkInterface
Create the virtual machine with New-AzVM
## Create the credential for the virtual machine. Enter a username and password at the prompt. ##$cred = Get-Credential## Place the virtual network into a variable. ##$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg## Create a network interface for the virtual machine. ##$nic = @{ Name = 'myNicVM' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' Subnet = $vnet.Subnets[0]}$nicVM = New-AzNetworkInterface @nic## Create the configuration for the virtual machine. ##$vm1 = @{ VMName = 'myVM' VMSize = 'Standard_DS1_v2'}$vm2 = @{ ComputerName = 'myVM' Credential = $cred}$vm3 = @{ PublisherName = 'MicrosoftWindowsServer' Offer = 'WindowsServer' Skus = '2019-Datacenter' Version = 'latest'}$vmConfig = New-AzVMConfig @vm1 | Set-AzVMOperatingSystem -Windows @vm2 | Set-AzVMSourceImage @vm3 | Add-AzVMNetworkInterface -Id $nicVM.Id## Create the virtual machine. ##New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfigNote
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
Test connectivity with the private endpoint
Use the VM you created in the previous step to connect to the webapp across the private endpoint.
Sign in to the Azure portal.
(Video) Learn how to Create Azure Virtual Network using POWERSHELL CommandsIn the search box at the top of the portal, enter Virtual machine. Select Virtual machines.
Select myVM.
On the overview page for myVM, select Connect, and then select Bastion.
Enter the username and password that you used when you created the VM. Select Connect.
After you've connected, open PowerShell on the server.
Enter
nslookup mywebapp1979.azurewebsites.net. Replace mywebapp1979 with the name of the web app that you created earlier. You'll receive a message that's similar to the following example:Server: UnKnownAddress: 168.63.129.16Non-authoritative answer:Name: mywebapp1979.privatelink.azurewebsites.netAddress: 10.0.0.10Aliases: mywebapp1979.azurewebsites.netIn the bastion connection to myVM, open the web browser.
Enter the URL of your web app,
https://mywebapp1979.azurewebsites.net.If your web app hasn't been deployed, you'll get the following default web app page:
Close the connection to myVM.
Clean up resources
When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, virtual network, and the remaining resources.
Remove-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg'Next steps
For more information about the services that support private endpoints, see:
What is Azure Private Link?
FAQs
How do I create a private endpoint in Azure command line? ›
Configure the private DNS zone
Create a new private Azure DNS zone with az network private-dns zone create. Link the DNS zone to the virtual network you created previously with az network private-dns link vnet create. Create a DNS zone group with az network private-endpoint dns-zone-group create.
Run Command in Azure Portal
In the Azure portal, navigate to the virtual machine resource. Navigate to Operations > Run Command. Select RunPowerShellScript from the list of commands. Type the PowerShell script content you want to run on the server in the Run Command Script pane.
The private endpoint must be deployed in the same region and subscription as the virtual network. The private-link resource can be deployed in a different region than the one for the virtual network and private endpoint.
What is PowerShell command to add a private link configuration to application gateway? ›The Add-AzApplicationGatewayPrivateLinkConfiguration cmdlet adds a private link configuration to an application gateway.
What is Azure private endpoint? ›A private endpoint is a special network interface for an Azure service in your Virtual Network (VNet). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage.
What is difference between private endpoint and service endpoint? ›A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
How do I create a private endpoint for key vault? ›- Select the Private Endpoint radio button in the Networking tab.
- Select the "+ Add" Button to add a private endpoint.
- In the "Location" field of the Create Private Endpoint Blade, select the region in which your virtual network is located.
Azure CLI can be run in both PowerShell and CMD, but PowerShell gives you more tab-completion features.
Can I use Azure CLI commands in PowerShell? ›The Azure CLI is a succinct and powerful automation tool for Azure deployments that should be considered when using PowerShell scripts to orchestrate deployments. It is easily integrated into PowerShell scripts if the running machine has the Azure CLI installed by using the Invoke-Expression cmdlet.
Can we run Azure CLI commands in PowerShell? ›You can now run the Azure CLI with the az command from either Windows Command Prompt or PowerShell.
What is the PowerShell command to Connect to Azure portal? ›
To sign in interactively, use the Connect-AzAccount cmdlet. This cmdlet presents an interactive browser based login prompt by default. Use the Get-AzContext cmdlet to store your tenant ID in a variable to be used in the next two sections of this article.
Is Azure PowerShell the same as PowerShell? ›Azure PowerShell is set of cmdlets packaged as a PowerShell module named Az ; not an executable. Windows PowerShell or PowerShell must be used to install the Az module. Windows PowerShell is the standard scripting shell that comes preinstalled with most Windows operating systems.
How do I run Azure function in PowerShell? ›To execute the Azure function with PowerShell, you must get the endpoint to query. To do that, open the function, click on Code + Test, and then on Get function URL. You'll see an option for selecting a Key. This key comes from the authentication level when you create the Function App.
How do I use Azure private endpoint? ›- Select Resource groups in the left-hand navigation pane.
- Select myResourceGroup.
- Select myVM.
- On the overview page for myVM, select Connect then Bastion.
- Enter the username and password that you entered during the virtual machine creation.
- Select Connect button.
- Prerequisites. ...
- Sign in to Azure. ...
- Create a virtual network and bastion host. ...
- Create a virtual machine. ...
- Create an Azure SQL server and private endpoint. ...
- Disable public access to Azure SQL logical server. ...
- Test connectivity to private endpoint.
- Sign in to Azure. Sign in to the Azure portal.
- Create an application gateway. ...
- Add backend pool. ...
- Create a client virtual machine. ...
- Test the application gateway. ...
- Next steps.
The Add-Computer cmdlet adds the local computer or remote computers to a domain or workgroup, or moves them from one domain to another. It also creates a domain account if the computer is added to the domain without an account.
What is $Profile PowerShell? ›The $PROFILE automatic variable stores the paths to the PowerShell profiles that are available in the current session. To view a profile path, display the value of the $PROFILE variable. You can also use the $PROFILE variable in a command to represent a path.
What Azure services support private endpoint? ›Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
How do I create a NIC in Azure? ›Step 1: Click on Create resource button and type-in network interface. Then click on Network Interface and create. Step 2: Now, fill the required details and click on create. Step 3: Your Network Interface will be created and ready to embed.
How does private link work in Azure? ›
Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.
What is a common example of an endpoint? ›Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.
What is private endpoint in Azure data Factory? ›By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet.
How do I Create a secret Azure key vault in powershell? ›The Set-AzKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault. If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret.
How do I Create a managed private endpoint in Azure data Factory? ›- Go to the Manage tab. ...
- Go to the Managed private endpoints section.
- Select + New under Managed private endpoints.
- Select the Azure Blob Storage tile from the list, and select Continue.
- Enter the name of the storage account you created.
- Select Create.
Add a key to Key Vault
On the Key Vault properties pages, select Keys. Select Generate/Import. On the Create a key screen choose the following values: Options: Generate.
Azure CLI vs Azure PowerShell:
While both are cross-platform and installable on Windows, macOS, and Linux, Azure CLI runs in Windows PowerShell, Cmd, or Bash and other Unix shells whereas Azure PowerShell requires Windows PowerShell or PowerShell.
- Create an Azure Automation Account.
- Setup Credentials to connect to SharePoint Online.
- Import Necessary Modules.
- Create a Runbook and add scripts to run.
- Schedule the PowerShell Script.
Azure CLI is cross-platform command-line tool for managing Azure resources, and it can run in Windows, Mac and Linux. This also means it can run on Windows PowerShell. Its more flexible than Azure PowerShell since its a binary and can run inside any OS default shell.
Can I use PowerShell instead of CMD? ›For those who prefer using Command Prompt, you can opt out of the Windows Logo Key + X change by opening Settings > Personalization > Taskbar, and turning off, Replace Command Prompt with Windows PowerShell in the menu when I right-click the start button or press Windows key+X.
Can PowerShell run all CMD commands? ›
PowerShell is a command-line shell and a scripting language used for automation. Similar to other shells, like bash on Linux or the Windows Command Shell ( cmd.exe ), PowerShell lets you to run any command available on your system, not just PowerShell commands.
What is the benefit of using PowerShell over CLI? ›The real biggest benefit of Powershell is that it operates on objects, not on strings. Therefore it's really easy to work with output of commands: $t = Get-AzEventGridTopic ... ; $endpoint = $t. Endpoint . With Azure CLI you would have to parse strings for that.
Can Azure PowerShell run in browser? ›Azure Windows PowerShell: The Azure PowerShell Module will help you to manage your Azure resources. You can use it on your local machine or in your web browser.
How do I run Azure API in PowerShell? ›To use the Azure Rest API using PowerShell, we first need to connect to the Azure cloud account using the Connect-AzAccount. Once you are connected to the Azure Account, you can use the below authorization header (same has been provided on the MS website) which contains a bearer token to authenticate the rest API.
How do I create a database with Azure portal using PowerShell script? ›- Step 1: Connect to Azure account. ...
- Step 2: Create an Azure Resource Group. ...
- Step 4: Configure the Server Firewall Rule. ...
- Step 5: Connect to Azure SQL database and creates a new database. ...
- Step 6: Query the Azure SQL database for validations.
...
To consider this lab complete, please perform the following:
- Log in to the Azure Portal and open a Cloud Shell PowerShell prompt.
- Establish a new PowerShell remote session.
- Using the established session, connect to the VM and verify that you are on a Windows VM.
Azure PowerShell is designed for managing and administering Azure resources from the command line. Use Azure PowerShell when you want to build automated tools that use the Azure Resource Manager model. Try it out in your browser with Azure Cloud Shell, or install on your local machine.
Is Azure PowerShell free? ›It's free and easy to use. Another alternative to Azure PowerShell involves not using Azure at all.
Is PowerShell more powerful than command prompt? ›PowerShell is significantly more powerful and rich in capabilities compared to CMD.exe; it's able to manage hundreds of machines across different platforms whereas CMD.exe is only capable of executing much simpler tasks on a smaller scale.
What does F7 do in PowerShell? ›If you have been entering several commands in a console screen, pressing the F7 function key displays a menu of the previously executed commands, as Figure 2.2 shows. Figure 2.2. Pressing the F7 function key presents a command history menu. Use the arrow keys to change the selection in the menu.
Can Azure PowerShell run on Windows? ›
Simply put, PowerShell is a scripting language and command-line shell that's made by Microsoft to serve as a task automation solution. Though it started as a Windows exclusive, it's now cross-platform and runs on Linux, macOS, and Windows.
How do I create a client secret in PowerShell Azure? ›Get Client Secret Id
From left Menu of Azure Directory -> click App Registration -> Click the name of the application created in the previous step, in my case name will be GeeksAPI. Click on New Client Secret from right side pane -> Add description and expiration in Add a Client Secret screen -> Click Add button.
Select the Networking tab or select the Next: Networking button. Select Private endpoint. Select + Add private endpoint in Private endpoints. Select your subscription.
What is the Private endpoint in Azure? ›A private endpoint is a special network interface for an Azure service in your Virtual Network (VNet). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage.
How do I get client secret in PowerShell? ›First, connect to your Azure AD using the PowerShell Connect-AzureAD cmdlet. Next, use the Get-AzureADServicePrincipal cmdlet to get the app, specifying the app's client ID and a new client secret.
How do I create a client secret in Azure? ›- Select Azure Active Directory.
- From App registrations in Azure AD, select your application.
- Select Certificates & secrets.
- Select Client secrets -> New client secret.
- Provide a description of the secret, and a duration. When done, select Add.
- Login to the Azure Portal.
- Navigate to Azure Active Directory.
- Select App Registrations , locate the Azure AD App that you're trying to find the Client ID and Client Secret Key for.
- Within the Azure AD App, select Certificates & Secrets.
Select + Add subnet, then enter Public for Subnet name and 10.0. 0.0/24 for Subnet address range. Select Add. Select + Add subnet, then enter Private for Subnet name and 10.0.
How do I make an Azure private dashboard? ›- Sign in to the Azure portal.
- From the Azure portal menu, select Dashboard. ...
- Select New dashboard, then select Blank dashboard. ...
- Select the My Dashboard text in the dashboard label and enter a name that will help you easily identify the custom dashboard.
On the Azure portal page for your data factory, select Networking > Private endpoint connections and then select + Private endpoint. Select your subscription. Select a resource group. Enter a name for your endpoint.
How do I create a managed private endpoint in Azure data Factory? ›
- Go to the Manage tab. ...
- Go to the Managed private endpoints section.
- Select + New under Managed private endpoints.
- Select the Azure Blob Storage tile from the list, and select Continue.
- Enter the name of the storage account you created.
- Select Create.