This chapter covers Azure Private Link, a critical networking feature that enables private connectivity to Azure PaaS services and your own services from Azure virtual networks. For the SC-900 exam, this topic falls under objective 3.4 (Secure Data and Applications) and typically appears in 2-4% of questions. Understanding Private Link is essential because it directly addresses data exfiltration risks and is a key component of a defense-in-depth strategy for securing Azure workloads. You will learn the exact mechanism, configuration components, and exam-specific details that distinguish Private Link from other connectivity methods.
Jump to a section
Imagine you own a large office building (your Azure virtual network) and want to access a secure vault (Azure PaaS service like Storage or SQL Database) that is located in a separate, highly guarded facility. Normally, to reach the vault, you would have to drive on public roads (the public internet), which means your route is visible and potentially intercepted. With Azure Private Link, you build a private, underground tunnel from your building's basement directly into the vault's loading dock. This tunnel has its own private entrance (the Private Endpoint) that is assigned a unique address from your building's internal address space (a private IP from your VNet). The tunnel is owned and operated by the same security company (Microsoft's backbone network) that manages both buildings, so no traffic ever touches public roads. When you send a package (data packet) through the tunnel, it bypasses all public-facing gates and goes straight to the vault's private receiving area. From the vault's perspective, the package appears to have originated from inside the vault's own loading dock, not from the public street. This eliminates exposure to the public internet entirely. The tunnel is also mapped to a specific door in the vault (the Private Link Service or the PaaS resource's private endpoint configuration), so you can only access the exact vault you have permission to, not any other vault in the facility. This is fundamentally different from using a VPN or ExpressRoute, which are like building a private road to the facility's public parking lot—you still have to walk through the public lobby (the service's public endpoint) to get inside. Private Link gives you a direct, private door from your building to the specific vault.
What Is Azure Private Link and Why Does It Exist?
Azure Private Link is a service that provides private, direct connectivity from an Azure virtual network (VNet) to Azure PaaS services (e.g., Azure Storage, SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics, Azure Cosmos DB, Azure Key Vault, Azure App Service, Azure Functions, Azure Container Registry, Azure Service Bus, Azure Event Hubs, Azure Data Factory, Azure Data Lake Storage Gen2, Azure Cognitive Services, Azure Machine Learning, Azure API Management, Azure Backup, Azure Site Recovery) and to customer-owned services (via Private Link Service). The core purpose is to eliminate data exfiltration risks by ensuring traffic never traverses the public internet. Instead, traffic flows entirely within the Microsoft Azure backbone network.
Before Private Link, accessing PaaS services from a VNet required either:
Using the public endpoint (over the internet) – exposing traffic to potential snooping or man-in-the-middle attacks.
Using Service Endpoints – which route traffic from the VNet to the service over the Azure backbone but still leave the service's public endpoint accessible from the internet. Service Endpoints also do not prevent data exfiltration because the service's public IP remains reachable.
Private Link solves this by placing a private IP address (from your VNet) as the network interface (NIC) for the PaaS service. This NIC is called a Private Endpoint (PE). The Private Endpoint is a special network interface that uses a private IP from your VNet and connects to the PaaS service via Azure's backbone. From the service's perspective, traffic appears to originate from that private IP, not from a public IP. This allows you to block all public access to the service (by disabling public network access) and still have connectivity from your VNet.
How Azure Private Link Works Internally
The mechanism relies on Azure's Software-Defined Networking (SDN) stack. When you create a Private Endpoint, Azure performs the following steps: 1. Resource Creation: You specify the target Azure resource (e.g., a storage account) and its sub-resource (e.g., blob, file, queue, table). Azure deploys a Private Endpoint resource in your VNet/subnet. This endpoint is assigned a private IP from the subnet's address range (you can specify a static IP or let Azure assign dynamically). 2. DNS Configuration: To ensure that clients in your VNet resolve the service's FQDN (e.g., mystorageaccount.blob.core.windows.net) to the private IP, Azure creates a Private DNS Zone (e.g., privatelink.blob.core.windows.net) and links it to your VNet. The DNS resolution works as follows:
- When a client queries the FQDN, Azure DNS returns a CNAME record pointing to the privatelink zone. - The privatelink zone contains an A record with the private IP of the Private Endpoint. - The client then connects directly to that private IP. 3. Traffic Flow: Packets sent to the private IP are routed within the VNet to the Private Endpoint NIC. The Azure SDN maps this NIC to the target service's backend. The traffic is encapsulated and forwarded over the Azure backbone to the service's regional endpoint. The service sees the source IP as the private IP of the Private Endpoint (not the client's public IP). 4. Network Security Groups (NSGs): You can apply NSGs to the subnet containing the Private Endpoint, but NSGs are not supported on the Private Endpoint NIC itself. Traffic to the Private Endpoint is subject to the NSG rules of the subnet. However, Azure does not support NSG flow logs for Private Endpoint traffic. 5. User-Defined Routes (UDRs): UDRs on the subnet can affect traffic to the Private Endpoint. However, Azure recommends using the default system routes for Private Endpoint traffic to avoid asymmetric routing.
Key Components, Values, Defaults, and Timers
Private Endpoint (PE): A network interface with a private IP from your VNet. It is associated with a specific Azure resource and its sub-resource. You can create up to 50 Private Endpoints per VNet (default quota). Each Private Endpoint can connect to one resource but multiple sub-resources (e.g., blob and file for the same storage account) by using multiple target sub-resources in the same PE.
Private Link Service (PLS): Allows you to expose your own service (e.g., a web app behind an internal load balancer) behind a Private Endpoint. You create a PLS attached to a Standard Load Balancer, and consumers create Private Endpoints in their VNets to connect to your PLS.
Private DNS Zone: Required for name resolution. Azure provides built-in zone names for each PaaS service (e.g., privatelink.blob.core.windows.net, privatelink.database.windows.net, privatelink.vaultcore.azure.net). You must link the zone to your VNet. DNS resolution time is typically <1 second after zone linking.
Approval Method: When a Private Endpoint is created, the target resource owner must approve the connection. This can be automatic (if you have RBAC permissions) or manual (requires approval). The default approval timeout is 7 days for manual requests; after that, the request expires.
Network Policies: You must disable subnet-level private endpoint network policies (e.g., PrivateEndpointNetworkPolicies set to Disabled) to allow Private Endpoint creation. This is done via Azure CLI, PowerShell, or portal.
Pricing: Private Endpoint has an hourly cost (approx $0.01-0.02/hr per endpoint) and data processing charges per GB processed.
Configuration and Verification Commands
To create a Private Endpoint using Azure CLI:
az network private-endpoint create \
--resource-group myRG \
--name myPE \
--location eastus \
--vnet-name myVNet \
--subnet mySubnet \
--private-connection-resource-id /subscriptions/{sub}/resourceGroups/myRG/providers/Microsoft.Storage/storageAccounts/mystorage \
--group-id blob \
--connection-name myConnectionTo verify the Private Endpoint:
az network private-endpoint show --name myPE --resource-group myRGTo check DNS resolution from a VM in the VNet:
nslookup mystorageaccount.blob.core.windows.netExpected output:
Non-authoritative answer:
Name: mystorageaccount.privatelink.blob.core.windows.net
Address: 10.0.0.4 (private IP)Interaction with Related Technologies
Service Endpoints vs Private Link: Service Endpoints provide direct connectivity from VNet to PaaS services over Azure backbone but still leave the service's public endpoint accessible. Private Link completely removes public endpoint exposure. Service Endpoints do not prevent data exfiltration; Private Link does.
VPN Gateway / ExpressRoute: These provide private connectivity from on-premises to Azure VNet. Private Link extends that private connectivity to PaaS services. Traffic from on-premises to a PaaS service via Private Link flows: on-premises -> VPN/ER -> VNet -> Private Endpoint -> Azure backbone -> PaaS service.
Azure Firewall / Network Virtual Appliances (NVAs): Since Private Endpoint traffic stays within the VNet and Azure backbone, you can force-tunnel traffic to an NVA using UDRs, but this is not recommended due to asymmetric routing. Azure Firewall can inspect traffic to Private Endpoints if the firewall is in the same VNet and traffic is routed through it.
Azure DNS Private Resolver: Can be used to resolve on-premises names to Private Endpoint IPs.
Security Considerations
Data Exfiltration Prevention: By blocking public access on the PaaS service and using Private Endpoints, you ensure that data can only be accessed from approved VNets. This is a key security control for compliance (e.g., PCI-DSS).
Network Security Groups: NSGs cannot be applied to the Private Endpoint NIC itself, but you can apply NSGs to the subnet. However, Azure does not support NSG flow logs for Private Endpoint traffic.
Service Tags: Use service tags (e.g., Storage, Sql) in NSG rules to allow traffic to Azure services. However, for Private Endpoint traffic, the destination IP is the private IP, so service tags are not directly used; you must use the private IP range.
Azure Policy: You can enforce use of Private Endpoints via Azure Policy (e.g., deploy a policy that denies creation of storage accounts without Private Endpoints).
Exam-Relevant Details
Private Link is used to access Azure PaaS services (e.g., Storage, SQL, Key Vault) and customer-owned services via Private Link Service.
Private Endpoint uses a private IP address from your VNet.
Private Endpoint is associated with a specific resource and sub-resource (e.g., blob, file, queue, table for storage).
DNS configuration is critical: you must use Private DNS Zones or custom DNS to resolve the service FQDN to the private IP.
Approval is required for the connection (automatic or manual).
Service Endpoints are different: they do not use private IPs and do not prevent data exfiltration.
Pricing: Private Endpoint incurs costs per hour and per GB of data processed.
Limitations: Not all Azure services support Private Link; check documentation. Also, Private Endpoints cannot be used across regions (they must be in the same region as the VNet).
Create Private Endpoint resource
In the Azure portal, navigate to 'Private endpoints' and click 'Create'. Specify the subscription, resource group, name, and region (must match the VNet region). In the 'Resource' tab, select the target resource type (e.g., Microsoft.Storage/storageAccounts) and the specific resource. Choose the target sub-resource (e.g., blob, file, queue, table). In the 'Configuration' tab, select the VNet and subnet where the Private Endpoint will be deployed. Optionally, you can assign a static private IP address instead of dynamic. Azure then deploys a network interface in the subnet with that private IP. The deployment typically takes 1-2 minutes.
Configure DNS resolution
After the Private Endpoint is created, you must ensure that clients in the VNet resolve the service's FQDN to the private IP. The easiest method is to create a Private DNS Zone (e.g., privatelink.blob.core.windows.net) and link it to the VNet. Azure can do this automatically during Private Endpoint creation if you select 'Yes' for 'Integrate with private DNS zone'. The zone will contain an A record mapping the service's FQDN to the private IP. If you use custom DNS servers, you must manually add the A record. Verify DNS resolution using nslookup from a VM in the VNet. The command should return the private IP address of the Private Endpoint, not the public IP.
Approve Private Endpoint connection
The target resource owner must approve the Private Endpoint connection. If you have RBAC permissions on the target resource (e.g., Contributor role on the storage account), the connection can be auto-approved during creation. Otherwise, the connection request appears as 'Pending' in the target resource's 'Private endpoint connections' blade. The owner can approve or reject the request. If not approved within 7 days, the request expires. Once approved, the Private Endpoint status changes to 'Approved'. Traffic can then flow from the VNet to the resource via the Private Endpoint.
Disable public access on target resource
To fully secure the resource, you should disable public network access. For Azure Storage, set 'Public network access' to 'Disabled' in the 'Networking' blade. For Azure SQL Database, set 'Public network access' to 'Disable' in the 'Firewall and virtual networks' blade. This ensures that the resource can only be accessed via Private Endpoints. Without this step, the resource remains accessible from the internet, defeating the purpose of Private Link. Note that disabling public access also affects Azure management plane access (e.g., Azure portal), but you can allow specific Azure services if needed.
Verify connectivity and test
From a VM in the same VNet (or a peered VNet with DNS resolution configured), test connectivity to the resource using its FQDN. For example, use `az storage blob list --account-name mystorageaccount --container-name mycontainer` or `Invoke-SqlCmd -ServerInstance myserver.database.windows.net -Database mydb`. The connection should succeed. To confirm traffic is not leaving the Azure backbone, you can use Network Watcher next hop or trace route: `tracert mystorageaccount.blob.core.windows.net`. The first hop should be within the VNet, and subsequent hops should remain in the Microsoft network (private IPs in the 10.x.x.x or 168.63.x.x range). If you see public IPs, DNS is not resolving correctly.
Scenario 1: Financial Services Company Securing Azure SQL Database
A financial services company hosts a critical Azure SQL Database containing customer financial records. They have a regulatory requirement (e.g., PCI-DSS) that no data can traverse the public internet. They deploy an Azure VNet with a subnet for application VMs. They create a Private Endpoint for the SQL Database in that subnet, associating it with the 'sqlServer' sub-resource. They configure a Private DNS Zone (privatelink.database.windows.net) linked to the VNet. They then disable public network access on the SQL Server. The application VMs connect to the SQL Database using the FQDN (myserver.database.windows.net), which resolves to the private IP 10.0.1.5. All traffic flows within the Azure backbone. The company also uses Azure Policy to enforce that all new SQL Servers must have a Private Endpoint and that public access is disabled. This prevents data exfiltration even if a storage account is accidentally created without proper controls.
Scenario 2: Healthcare Organization Using Private Link Service for Third-Party Integration
A healthcare organization has a custom application hosted on Azure VMs behind an internal Standard Load Balancer. They want to expose this application to a partner organization's VNet without exposing it to the internet. They create a Private Link Service (PLS) attached to the internal load balancer. The partner organization creates a Private Endpoint in their own VNet, specifying the resource ID of the PLS. After approval, the partner's VMs can access the application using the private IP of their Private Endpoint. The healthcare organization can apply NSGs to the PLS subnet to control inbound traffic. They also monitor connection logs to detect any unauthorized access attempts. This setup eliminates the need for VPNs or public endpoints, reducing attack surface.
Common Misconfigurations and Pitfalls
DNS resolution failure: The most common issue is that DNS is not configured correctly. Clients in the VNet still resolve the FQDN to the public IP, causing connection attempts to fail (because public access is disabled). Always verify DNS resolution with nslookup.
Not disabling public access: Even with Private Endpoint, if public access remains enabled, the resource is still accessible from the internet. This is a common oversight that compromises security.
Cross-region Private Endpoints: Private Endpoints must be in the same region as the VNet. You cannot create a Private Endpoint in East US for a resource in West US. This is a frequent exam trap.
Subnet network policies: If you forget to disable subnet-level private endpoint network policies, Private Endpoint creation fails. The error message is often misleading.
NSG limitations: NSGs on the Private Endpoint NIC are not supported. You must rely on NSGs on the subnet and service-side firewalls.
What SC-900 Tests on Azure Private Link
SC-900 objective 3.4 (Secure Data and Applications) includes understanding of Private Link as a method to securely access Azure services. The exam focuses on: - Conceptual understanding: What Private Link is and its primary benefit (eliminating public internet exposure). - Comparison with Service Endpoints: Candidates must know that Private Endpoints use private IPs, while Service Endpoints use public IPs but route over Azure backbone. Private Link prevents data exfiltration; Service Endpoints do not. - Use cases: Private Link is used for accessing Azure PaaS services (Storage, SQL, Key Vault, etc.) and for exposing custom services via Private Link Service. - DNS configuration: The need for Private DNS Zones or custom DNS to resolve FQDNs to private IPs. - Pricing: Private Endpoint incurs costs (hourly + data processing).
Common Wrong Answers and Traps
'Private Link is the same as Service Endpoints' – Wrong. Service Endpoints do not use private IPs and do not prevent data exfiltration. The exam tests this distinction.
'Private Link can be used to connect to any Azure service' – Wrong. Only services that support Private Link can be used. Many services like Azure DevOps, Azure Cognitive Search, and some third-party services may not support it.
'Private Endpoints can be used across regions' – Wrong. The Private Endpoint must be in the same region as the VNet. The target resource can be in a different region? Actually, the target resource must be in the same region as the Private Endpoint? No, the Private Endpoint is created in the same region as the VNet, but the target resource can be in any region? Wait, check: For Azure PaaS services, the Private Endpoint must be in the same region as the VNet, but the target resource can be in any region? Actually, the documentation states: 'The Private Endpoint must be in the same region as the virtual network and the resource it connects to.' That means the resource must be in the same region as the Private Endpoint. This is a common trap: candidates think you can connect to a resource in another region, but it's not supported.
'Private Link automatically blocks public access' – Wrong. You must manually disable public access on the target resource. The Private Endpoint only provides private connectivity; it does not remove the public endpoint.
Specific Numbers and Terms That Appear on Exam
'Private Endpoint' vs 'Private Link Service' – Know the difference.
Sub-resource names: blob, file, queue, table for Storage; sqlServer for SQL Database; vault for Key Vault.
Private DNS Zone naming: privatelink.blob.core.windows.net, privatelink.database.windows.net, etc.
Approval timeout: 7 days for manual requests.
Network policy: Must disable PrivateEndpointNetworkPolicies on subnet.
Edge Cases and Exceptions
On-premises connectivity: To use Private Link from on-premises, you need a VPN gateway or ExpressRoute circuit to connect to the VNet. Then Private Endpoint traffic flows through that connection.
Azure Firewall: You can route traffic through Azure Firewall for inspection, but this adds complexity and potential latency.
Endpoint policies: Azure Policy can enforce Private Endpoint usage, but not all services support it.
How to Eliminate Wrong Answers
When you see a question about 'private connectivity to Azure PaaS services without exposing to internet', look for answer choices that mention 'Private Endpoint' and 'private IP'. Eliminate any answer that says 'Service Endpoint' because that does not remove public exposure. Also eliminate answers that say 'any service' because only supported services work. Remember that DNS configuration is essential.
Azure Private Link provides private connectivity to Azure PaaS services using a Private Endpoint with a private IP from your VNet.
Private Endpoint must be in the same region as the VNet and the target resource.
You must disable public network access on the target resource to fully secure it; Private Link alone does not block public access.
DNS configuration via Private DNS Zones is essential for clients to resolve the service FQDN to the private IP.
Private Link prevents data exfiltration, unlike Service Endpoints.
Private Endpoint creation requires disabling subnet-level private endpoint network policies.
Manual Private Endpoint connection requests expire after 7 days if not approved.
Private Link can also be used for customer-owned services via Private Link Service attached to a Standard Load Balancer.
These come up on the exam all the time. Here's how to tell them apart.
Service Endpoints
Uses public IP of the service; traffic routed over Azure backbone but still appears from public IP
Does not prevent data exfiltration; service remains accessible from internet if public access is enabled
No cost for the endpoint itself; only data processing charges
Supported on all Azure services that support service endpoints
Requires route tables (service endpoint routes) on the subnet
Private Endpoints (Private Link)
Uses private IP from your VNet; traffic appears to originate from that private IP
Can block public access entirely by disabling public network access on the service, preventing data exfiltration
Incurs hourly cost for the Private Endpoint plus data processing charges
Only supported on services that explicitly support Private Link (growing list)
Requires Private DNS Zones or custom DNS for name resolution; no route tables needed
Mistake
Azure Private Link and Service Endpoints are functionally identical.
Correct
They are fundamentally different. Service Endpoints provide direct connectivity over Azure backbone but still use the service's public IP and do not prevent data exfiltration. Private Link uses a private IP from your VNet and can block public access entirely, preventing data exfiltration.
Mistake
Once you create a Private Endpoint, public access to the service is automatically disabled.
Correct
No, you must manually disable public network access on the target resource. The Private Endpoint only provides an additional private connection path; the public endpoint remains active until explicitly disabled.
Mistake
Private Endpoints can connect to resources in any Azure region.
Correct
Private Endpoints must be in the same region as the virtual network and the target resource. Cross-region Private Endpoints are not supported for PaaS services.
Mistake
You can apply Network Security Groups (NSGs) directly to the Private Endpoint NIC.
Correct
NSGs are not supported on the Private Endpoint NIC itself. You can apply NSGs to the subnet containing the Private Endpoint, but not to the endpoint's network interface.
Mistake
Private Link is only for Azure PaaS services, not for customer-owned services.
Correct
Private Link also supports customer-owned services via Private Link Service (PLS). You can expose your own application behind an internal load balancer and allow consumers to connect via Private Endpoints.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Private Link uses a private IP from your VNet to connect to a PaaS service, allowing you to block public access entirely and prevent data exfiltration. Service Endpoints route traffic over the Azure backbone but still use the service's public IP, and the service remains accessible from the internet. Private Link is more secure but costs more and is not supported by all services.
Yes, but you need a VPN gateway or ExpressRoute circuit to connect your on-premises network to an Azure VNet. Once connected, you can use Private Endpoints in that VNet to access PaaS services privately. The traffic flows from on-premises to the VNet, then through the Private Endpoint over the Azure backbone.
Yes, DNS configuration is critical. Clients in your VNet must resolve the service's FQDN (e.g., mystorageaccount.blob.core.windows.net) to the private IP of the Private Endpoint. This is typically done by creating a Private DNS Zone (e.g., privatelink.blob.core.windows.net) and linking it to your VNet. Without correct DNS, connections will fail.
No. The Private Endpoint must be in the same region as the virtual network and the target resource. Cross-region Private Endpoints are not supported for PaaS services. This is a common exam trap.
The connection request expires and is automatically deleted. The requester would need to create a new Private Endpoint to try again. The 7-day timeout applies only to manual approval requests; auto-approved connections are immediate.
No, NSGs are not supported on the Private Endpoint NIC itself. You can apply NSGs to the subnet containing the Private Endpoint, but not to the endpoint's network interface. Also, NSG flow logs are not available for Private Endpoint traffic.
No, Private Endpoints have an hourly cost (approximately $0.01-$0.02 per hour per endpoint) and data processing charges per gigabyte. There is no cost for the Private Link Service itself, but the underlying Standard Load Balancer incurs costs.
You've just covered Azure Private Link Basics — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?