This chapter covers Azure Private Link Service, a critical networking feature for securely exposing services to consumers over Microsoft's backbone network. On the AZ-104 exam, networking topics account for approximately 20-25% of questions, with Private Link and related technologies (like Service Endpoints, VNet Peering, and VPN Gateway) appearing in about 5-7% of total exam items. You will need to understand when to use Private Link vs. Service Endpoints, how to configure a Private Link Service, and how Private Endpoints interact with DNS resolution. This chapter provides the deep technical knowledge required to answer scenario-based questions confidently.
Jump to a section
Imagine two office buildings in a city: Building A (your customer's on-premises network) and Building B (your Azure service). Normally, to send a package from A to B, you must use the public postal service (the internet). The package travels through many sorting facilities, is visible to anyone who handles it, and could be intercepted or delayed. Now, imagine a private underground tunnel that connects the basements of both buildings directly. This tunnel is owned and maintained by a trusted third party (Microsoft's backbone network). To use it, Building A installs a special door (a Private Endpoint) in its basement, and Building B creates a corresponding door (a Private Link Service) in its basement. The tunnel is not a physical tunnel but a dedicated, isolated path through the underground infrastructure. Traffic between A and B never touches the public streets. The package is handed directly from A's door to B's door, with no intermediate stops. From the outside, no one can see that A and B are communicating; the tunnel is invisible. This is exactly how Azure Private Link works: it creates a private, direct connection from your virtual network to a service, bypassing the public internet entirely, and the traffic stays within Microsoft's secure network backbone.
What is Azure Private Link Service and Why Does It Exist?
Azure Private Link Service enables you to expose your own service (running behind an Azure Standard Load Balancer) to consumers privately, using Private Endpoints. The consumer's traffic reaches your service without traversing the public internet, remaining entirely within the Microsoft Azure backbone network. This is the equivalent of Azure Private Link but for custom services you own, rather than consuming Azure PaaS services like Azure SQL Database or Storage.
The primary driver for Private Link Service is security and compliance. Many organizations require that all traffic between their network and a partner's or customer's service never leaves the Microsoft network. By using Private Link Service, you can offer your service to clients who enforce a policy of no public internet exposure. This is common in regulated industries such as finance, healthcare, and government.
How It Works Internally – Step Through the Mechanism
To understand Private Link Service, you must first grasp the flow of traffic. The service provider creates a Private Link Service attached to a Standard Load Balancer that fronts the actual service instances (e.g., VMs or containers). The consumer creates a Private Endpoint in their own virtual network, which gets a private IP address from their subnet. The Private Endpoint is associated with a connection request to the provider's Private Link Service.
When the consumer sends traffic to their Private Endpoint's private IP, the following happens: 1. The consumer's VM sends a packet destined to the Private Endpoint's IP (e.g., 10.0.1.4). 2. The Azure platform intercepts this packet because the Private Endpoint is a special network interface (NIC) with an IP that belongs to the consumer's VNet but is managed by Azure. 3. The Azure platform encapsulates the packet and forwards it over the Microsoft backbone to the provider's region where the Private Link Service is deployed. 4. The provider's Private Link Service receives the encapsulated traffic and forwards it to the backend pool of the associated Standard Load Balancer. 5. The Load Balancer distributes the traffic to the actual service instances (e.g., VMs in a backend pool).
The return traffic follows the reverse path. The key point is that the traffic never leaves Azure's network; it is tunneled between the consumer's Private Endpoint and the provider's Private Link Service.
Key Components, Values, Defaults, and Timers
Private Link Service: A resource that exposes your service. It must be associated with a Standard Load Balancer (not Basic). The Private Link Service has a globally unique alias (e.g., myservice.privatelink.azure.com) and a connection approval method (automatic or manual).
Private Endpoint: A network interface in the consumer's VNet with a private IP from the subnet. It has a connection state: Pending, Approved, Rejected, or Disconnected.
Connection Approval: By default, connections are auto-approved if the consumer's subscription is in the same Azure AD tenant. Cross-tenant connections require manual approval. The provider can set the approval method to 'Manual' or 'Automatic'.
Network Policies: Private Endpoints require the subnet to have privateEndpointNetworkPolicies set to 'Disabled' (via CLI or PowerShell) to allow explicit network security group (NSG) and route table associations. By default, NSG and UDR are not supported on the subnet of the Private Endpoint (they are ignored).
DNS Configuration: For Private Endpoints, you can configure private DNS zones to resolve the service's FQDN to the private IP. For Private Link Service, the provider's service FQDN is resolved by the consumer's DNS to the Private Endpoint IP.
Limits:
Maximum number of Private Link Services per region per subscription: 100.
Maximum number of Private Endpoints per Private Link Service: 1000.
Maximum number of Private Endpoints per subscription: 10000.
Maximum number of connection requests per Private Link Service: 10000.
Configuration and Verification Commands
To create a Private Link Service using Azure CLI:
# Create a Standard Load Balancer and backend pool
az network lb create --resource-group myRG --name myLB --sku Standard --public-ip-address myPIP --frontend-ip-name myFrontend --backend-pool-name myBEPool
# Create a Private Link Service
az network private-link-service create \
--resource-group myRG \
--name myPLS \
--load-balancer-name myLB \
--load-balancer-frontend-ip-configs myFrontend \
--private-ip-address-version IPv4 \
--auto-approval-subscriptions "<consumer-subscription-id>" \
--enable-proxy-protocol falseTo create a Private Endpoint:
# Create a Private Endpoint in the consumer's VNet
az network private-endpoint create \
--resource-group consumerRG \
--name myPE \
--vnet-name consumerVNet \
--subnet consumerSubnet \
--private-connection-resource-id /subscriptions/providerSubId/resourceGroups/providerRG/providers/Microsoft.Network/privateLinkServices/myPLS \
--connection-name myConnection \
--group-id defaultTo approve a pending connection (provider side):
az network private-link-service connection approve \
--resource-group providerRG \
--name myPLS \
--private-endpoint-connection-name myConnection \
--description "Approved by admin"To verify the connection state:
az network private-link-service show --resource-group providerRG --name myPLS --query privateEndpointConnectionsHow It Interacts with Related Technologies
Service Endpoints: Service Endpoints expose Azure PaaS services to your VNet via the Azure backbone but still use public endpoints of the service. Private Link provides a private IP in your VNet. Service Endpoints do not support on-premises connectivity via ExpressRoute unless combined with forced tunneling. Private Link works seamlessly with on-premises via ExpressRoute or VPN.
VNet Peering: Private Link can be used across peered VNets. The consumer's Private Endpoint can be in a different VNet than the provider's service, as long as the VNets are peered. Traffic stays within Azure backbone.
ExpressRoute: Private Link traffic can traverse ExpressRoute circuits if the consumer's VNet is connected via ExpressRoute Gateway. The traffic from on-premises to the Private Endpoint goes over ExpressRoute, then through the Private Link to the provider's service.
DNS Private Resolver: For hybrid environments, you can use Azure DNS Private Resolver to resolve the Private Link Service's FQDN from on-premises to the Private Endpoint IP.
Exam-Relevant Details
Private Link Service requires a Standard Load Balancer – Basic is not supported.
The consumer's Private Endpoint must be in the same region as the Private Link Service? No – Private Link supports cross-region access (as of late 2023). However, the Private Link Service itself is regional; consumers can connect from any region, but the traffic will traverse the Azure backbone.
Network Security Groups (NSGs) are not supported on the subnet of the Private Endpoint. Any NSG applied to the subnet is ignored for traffic to/from the Private Endpoint.
User-Defined Routes (UDRs) are also ignored on the Private Endpoint subnet.
Private Link Service supports TCP traffic only (no UDP).
The Private Link Service's visibility can be restricted to specific subscriptions using auto-approval lists.
Proxy Protocol v2 is supported for passing client IP information to the backend service.
Common Exam Traps
Trap: Private Link Service can be used to expose any Azure resource. Reality: Only resources behind a Standard Load Balancer can be exposed. You cannot directly expose a VM without a load balancer.
Trap: Private Endpoint can be in a different region than the Private Link Service. Reality: Yes, cross-region Private Link is supported, but the Private Link Service itself is regional. The consumer's Private Endpoint can be in any region.
Trap: Private Endpoint works with Basic Load Balancer. Reality: No, only Standard Load Balancer.
Trap: Private Endpoint supports UDP traffic. Reality: Only TCP traffic is supported through Private Link Service.
Trap: NSG can be applied to Private Endpoint subnet. Reality: NSG is not supported and is ignored.
Provision Standard Load Balancer
The provider must first create a Standard Load Balancer (SKU: Standard) in the same region as the service. This load balancer will front the actual service instances (e.g., VMs in a backend pool). The load balancer must have at least one frontend IP configuration (public or private). Private Link Service attaches to this frontend IP. At the packet level, the load balancer performs NAT to distribute traffic to backend instances. The provider must ensure health probes are configured so that unhealthy instances are removed from rotation.
Create Private Link Service resource
The provider creates a Private Link Service resource, associating it with the Standard Load Balancer and specifying the frontend IP configuration. During creation, the provider sets the visibility (which subscriptions can auto-approve) and the connection approval method (automatic or manual). The Private Link Service receives a globally unique alias (e.g., `myPLS-xxxx.privatelink.azure.com`). The provider can also enable Proxy Protocol v2 to pass the original client IP to the backend. At this point, the service is ready to accept connection requests.
Consumer creates Private Endpoint
The consumer creates a Private Endpoint in their own virtual network, specifying the resource ID of the provider's Private Link Service. The consumer selects a subnet and a private IP address (static or dynamic). The Private Endpoint is a special NIC with an IP from the consumer's subnet. Upon creation, a connection request is sent to the provider's Private Link Service. The consumer can optionally configure private DNS zones to map the service's FQDN (e.g., `myservice.privatelink.azure.com`) to the Private Endpoint's private IP. At the network layer, the Azure platform intercepts traffic to this IP and tunnels it to the provider.
Provider approves connection (if manual)
If the provider set the connection approval method to 'Manual', the connection request appears in the 'Pending' state. The provider must approve it using the Azure portal, CLI, or PowerShell. The provider can also reject or remove connections. Once approved, the connection state changes to 'Approved'. Traffic can now flow. If auto-approval was configured for the consumer's subscription, the connection is automatically approved without manual intervention. The provider can view all connections and their states at any time.
Traffic flows through Private Link
After approval, the consumer's VM can send traffic to the Private Endpoint's private IP. The Azure platform captures the packets and encapsulates them, forwarding them over the Microsoft backbone to the provider's Private Link Service. The service then forwards the traffic to the Standard Load Balancer's frontend IP, which distributes it to the backend instances. Return traffic follows the reverse path. The entire path stays within Azure's network. The consumer never connects to a public IP; the connection is entirely private. The provider's backend sees the traffic as coming from the load balancer's frontend IP (unless Proxy Protocol is enabled, which passes the original client IP).
Enterprise Scenario 1: SaaS Provider with Compliance Requirements
A SaaS company hosts a multi-tenant application on Azure VMs behind a Standard Load Balancer. Their customers are financial institutions that require all traffic to remain within the Microsoft network and never traverse the internet. The SaaS provider creates a Private Link Service attached to the load balancer. Each customer creates a Private Endpoint in their own VNet and connects to the provider's service. The provider configures auto-approval for each customer's subscription. The customers configure private DNS zones so that the SaaS application's FQDN resolves to the Private Endpoint IP. This setup ensures that traffic from the customer's on-premises network (via ExpressRoute) to the SaaS app stays entirely within Azure's backbone. The provider scales the load balancer backend pool to handle thousands of concurrent connections. A common misconfiguration is forgetting to disable private endpoint network policies on the consumer's subnet, which causes the Private Endpoint creation to fail.
Enterprise Scenario 2: Shared Services in a Hub-Spoke Topology
A large enterprise uses a hub-spoke network topology with Azure Firewall in the hub. They have a shared service (e.g., a central logging service) running in the hub VNet. They want to expose this service to multiple spoke VNets without routing traffic through the firewall or using public IPs. They create a Private Link Service in the hub VNet, attached to an internal Standard Load Balancer. Each spoke VNet creates a Private Endpoint to connect to the service. This allows spoke resources to send logs directly to the logging service without traversing the firewall, reducing latency and cost. The hub team manages the Private Link Service and can control which spokes are approved. A common issue is that spoke VNets may have overlapping IP address spaces, but Private Endpoints use their own IPs from the spoke's subnet, so there is no conflict. However, DNS resolution must be carefully managed to avoid the spoke's DNS resolving the service FQDN to a public IP.
Scenario 3: Cross-Tenant Service Consumption
A managed service provider (MSP) offers a monitoring solution to multiple customers, each in their own Azure AD tenant. The MSP deploys the service in their tenant and creates a Private Link Service with manual approval. Each customer creates a Private Endpoint in their own tenant, referencing the MSP's Private Link Service resource ID. The MSP then manually approves each connection. This allows the customers to access the monitoring service privately without exposing it to the internet. Performance considerations include the number of concurrent connections (max 1000 per Private Link Service) and the latency added by the encapsulation (typically <1ms). A common failure is when the customer's Private Endpoint creation fails due to insufficient permissions on the provider's resource – the customer must have 'Microsoft.Network/privateLinkServices/read' permission on the provider's subscription (granted via Azure RBAC or a delegated resource).
Exactly What AZ-104 Tests on This Topic
The AZ-104 exam objectives under 'Configure and manage virtual networking' (Objective 4.1) include: 'Configure private endpoints and private link services'. The exam focuses on:
Understanding the difference between Private Link Service and Service Endpoints.
Knowing the prerequisites: Standard Load Balancer, Standard SKU public IP, and correct subnet configuration.
Connection approval flow: automatic vs. manual, and which scenarios require manual approval (cross-tenant).
DNS configuration: private DNS zones and how they resolve the service FQDN.
Network policies: what is supported on Private Endpoint subnets (NSG and UDR are not supported).
Cross-region support: Private Link can be used across regions.
Common Wrong Answers and Why Candidates Choose Them
'Private Link Service can be used with Basic Load Balancer.' Candidates confuse the SKU requirement. The exam tests that only Standard Load Balancer is supported. Basic LB lacks the necessary features for Private Link.
'Private Endpoint can be created in the same subnet as the service VMs.' The Private Endpoint must be in the consumer's VNet, not the provider's. Candidates think the endpoint is near the service.
'Private Link Service requires a public IP on the load balancer.' The load balancer can have a private frontend IP only. The exam tests that the frontend IP can be private.
'NSG can be applied to the Private Endpoint subnet for security.' The exam tests that NSG is not supported and is ignored. Candidates assume they can filter traffic.
'Private Link Service supports UDP traffic.' The exam tests that only TCP is supported. Candidates may think it behaves like a VPN.
Specific Numbers and Terms That Appear on the Exam
SKU: Standard Load Balancer (not Basic).
Connection states: Pending, Approved, Rejected, Disconnected.
Approval methods: Automatic, Manual.
Limits: 100 Private Link Services per region, 1000 Private Endpoints per service.
Proxy Protocol: v2 supported.
Network policies: privateEndpointNetworkPolicies must be 'Disabled'.
DNS: Private DNS zone name: privatelink.azure.com.
Edge Cases and Exceptions
Cross-region Private Link: Supported, but the Private Link Service resource is regional. The consumer's Private Endpoint can be in any region.
Cross-tenant connections: Require manual approval. The consumer must have the provider's Private Link Service resource ID and appropriate RBAC permissions.
Private Endpoint with Azure PaaS: The exam may ask about using Private Endpoint for Azure Storage or SQL – that is Azure Private Link (not Private Link Service). Private Link Service is for custom services.
Private Endpoint and DNS: If no private DNS zone is configured, the service FQDN resolves to the public IP. The exam tests that you must create a private DNS zone linked to the consumer's VNet.
How to Eliminate Wrong Answers
If the question mentions 'exposing a custom application' and 'load balancer', look for 'Standard Load Balancer' in the answer. Eliminate any answer with 'Basic'.
If the question involves 'on-premises connectivity', Private Link works with ExpressRoute and VPN; Service Endpoints do not (unless forced tunneling). Eliminate Service Endpoint answers if on-premises is involved.
If the question asks about 'security filtering', remember that NSG on Private Endpoint subnet is not supported. The correct answer will involve filtering at the provider's load balancer or backend.
If the question mentions 'cross-tenant', the answer must include 'manual approval' or 'approve connection'.
Private Link Service requires a Standard Load Balancer (not Basic) to front the service.
The consumer's Private Endpoint must be in a subnet with privateEndpointNetworkPolicies set to 'Disabled'.
NSG and UDR are not supported on subnets containing Private Endpoints; they are ignored.
Private Link Service supports only TCP traffic (no UDP).
Cross-tenant connections require manual approval; same-tenant connections can be auto-approved.
Private Link can be used across regions; the Private Link Service is regional but consumers can connect from any region.
Proxy Protocol v2 is supported to pass the original client IP to the backend service.
Maximum of 100 Private Link Services per subscription per region, and 1000 Private Endpoints per service.
These come up on the exam all the time. Here's how to tell them apart.
Azure Private Link Service
Exposes custom services behind a Standard Load Balancer.
Traffic stays entirely within Azure backbone; never traverses public internet.
Provides a private IP in the consumer's VNet for the service.
Supports cross-region and cross-tenant connectivity.
Requires manual connection approval for cross-tenant scenarios.
Azure Service Endpoints
Exposes Azure PaaS services (e.g., Storage, SQL) to a VNet.
Traffic uses the Azure backbone but still resolves to the public endpoint of the PaaS service.
No private IP; the service is accessed via its public endpoint, but traffic is routed through Microsoft network.
Only works within the same region (unless combined with Global VNet Peering).
No connection approval; it's a route-based configuration on the subnet.
Mistake
Private Link Service requires a public IP on the load balancer to be accessible.
Correct
The load balancer can have a private frontend IP only. Private Link Service attaches to the frontend IP configuration, which can be private. The service is still reachable via the Private Endpoint's private IP in the consumer's VNet.
Mistake
Private Endpoint can be created in the same VNet as the service provider's resources.
Correct
The Private Endpoint must be created in the consumer's VNet, not the provider's. It is a network interface in the consumer's subnet that connects to the provider's service over the Azure backbone.
Mistake
Private Link Service supports both TCP and UDP traffic.
Correct
Private Link Service only supports TCP traffic. UDP traffic is not supported and will be dropped. This is because the underlying encapsulation and load balancing are TCP-oriented.
Mistake
Network Security Groups (NSGs) can be applied to the subnet where the Private Endpoint is deployed to filter traffic.
Correct
NSGs are not supported on subnets containing Private Endpoints. Any NSG applied to the subnet is ignored for traffic to and from the Private Endpoint. Security must be enforced at the provider's load balancer or backend.
Mistake
Private Link Service can be used to expose any Azure resource directly, without a load balancer.
Correct
Private Link Service must be associated with a Standard Load Balancer. You cannot expose a VM or container directly; the load balancer is required to front the service and distribute traffic.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Private Link is the overarching technology that provides private connectivity to Azure PaaS services (like SQL, Storage) via Private Endpoints. Azure Private Link Service is a specific resource that allows you to expose your own custom service (running behind a Standard Load Balancer) to consumers using Private Endpoints. So Private Link Service is the provider-side component for custom services, while Private Link (the generic term) often refers to the consumer-side Private Endpoint used for both PaaS and custom services.
No, Private Link Service requires a Standard Load Balancer. Basic Load Balancer does not support the necessary features such as backend pool configuration for Private Link Service. This is a common exam trap – always choose Standard SKU.
The consumer must configure a private DNS zone (e.g., `privatelink.azure.com`) linked to their VNet to resolve the service's FQDN to the Private Endpoint's private IP. Without this, the FQDN resolves to the public IP of the load balancer's frontend (if public) or may not resolve at all. The provider's service alias (e.g., `myservice.privatelink.azure.com`) should be used in the private DNS zone.
Yes, if the consumer's VNet is connected to on-premises via ExpressRoute or Site-to-Site VPN, and the on-premises network can resolve the service's FQDN to the Private Endpoint IP (via DNS forwarder or private DNS resolver), then traffic can flow from on-premises to the Private Link Service. The traffic goes from on-premises to the VNet over the private connection, then through the Private Endpoint over the Azure backbone.
Network Security Groups (NSGs) and User-Defined Routes (UDRs) are not supported on subnets that contain Private Endpoints. Any NSG or UDR applied to the subnet is ignored for traffic to/from the Private Endpoint. However, you can still apply NSGs to other subnets in the same VNet. To create a Private Endpoint, you must disable the `privateEndpointNetworkPolicies` property on the subnet using CLI or PowerShell.
You can approve pending connections using the Azure portal (under the Private Link Service resource, select 'Private endpoint connections'), Azure CLI (`az network private-link-service connection approve`), or PowerShell. The connection state changes from 'Pending' to 'Approved'. Only the provider can approve or reject connections.
The maximum is 1000 Private Endpoints per Private Link Service. If you need more, you can create multiple Private Link Services. Also, the maximum number of connection requests per service is 10000.
You've just covered Azure Private Link Service — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?