Private Endpoints & Private Link

Quick summary

This reference provides the top 10 recommendations for designing, deploying, securing and operating Azure Private Link and Private Endpoints, including exact Azure Portal click paths and PowerShell snippets for common tasks.

Quick checklist

Run these checks after creating or changing Private Endpoints

Private Endpoint status is Approved and shows an IP in the target subnet
DNS resolution returns private IP (validate from a VM in the VNet)
NSGs and route tables permit required traffic to service and DNS
Audit private link connections in Resource provider and Activity Log
Confirm no public endpoint access if private-only required

Top 10 Recommendations

1. Plan VNet/subnet placement and IP capacity

Reserve dedicated subnet(s) for Private Endpoints; ensure sufficient IPs and avoid mixing with other workloads to simplify governance and auditing.

Azure Portal: Home > Virtual networks > select VNet > Subnets > + Subnet > name (e.g., pe-subnet) > assign address range > Save.
Allocate /24 or larger depending on number of endpoints; avoid using subnet with enforced service endpoints to same resource.

2. Use Private Link Service or platform Private Endpoints where appropriate

Choose platform service Private Endpoints for Azure PaaS (Storage, SQL, Key Vault). Use Private Link Service when exposing your own service privately.

Portal (PaaS): Storage Account > Networking > Private endpoint connections > + Private endpoint > Create; choose resource and target subnet > Create.
Portal (custom service): Resource provider offering Private Link Service > create Private Link Service resource, then consumers create endpoints to it.

3. Enforce DNS design for private resolution

Provision private DNS zones or conditional forwarding so service hostnames resolve to private IPs inside your VNets; test from client VMs.

Portal: Private DNS zones > + Create > name (e.g., privatelink.blob.core.windows.net) > Link virtual network > Save.
Create A records or let Private Endpoint registration add records automatically; validate with nslookup from VM in VNet.

4. Approve or reject PE connections centrally and log approvals

Control who can approve Private Endpoint connections (resource owner). Use RBAC and Activity Log to audit approvals.

Portal: Resource (e.g., Storage) > Private endpoint connections > select pending connection > Approve or Reject; add a note if approving.
Audit: Monitor > Activity Log > filter by 'Microsoft.Network/privateEndpoints' and review operations.

5. Restrict public access on PaaS resources when using private endpoints

Set resource firewall/network settings to allow only selected VNets or private endpoints; block public network access when strict isolation required.

Portal: Storage Account > Networking > Selected networks > add Virtual network or Private endpoint; set 'Allow trusted Microsoft services' per policy.
Key Vault: Networking > Allow access from selected networks; add private endpoint or VNet exceptions.

6. Harden subnet security (NSGs and route tables)

Control traffic to/from Private Endpoint subnet using NSGs; avoid blocking Azure DNS or required Microsoft service IPs. Use UDRs cautiously.

Portal: Virtual networks > Subnets > select pe-subnet > Network security group > Associate or create NSG with explicit allow rules for DNS and necessary management traffic.
Route tables: Virtual networks > Route tables > create/associate if you need forced tunneling; ensure routes don't blackhole private link traffic.

7. Use Private Endpoint network policies correctly for PaaS with service-specific requirements

Some services require network policies enabled/disabled on subnets; follow service guidance to set the 'Private endpoint network policies' appropriately.

Portal: Virtual networks > Subnets > select subnet > click 'Private endpoint network policies' toggle as required (sometimes must be Disabled for certain scenarios).
Validate service documentation for recommended setting before changing.

8. Automate lifecycle and approvals with IaC and RBAC

Automate creation of endpoints, DNS links and approval workflows. Ensure only authorized principals can approve connections.

Portal > Azure Policy: enforce tagging and allowed subnets; use RBAC (Access control) on resource to limit approver roles.
Use ARM/Bicep or PowerShell to create endpoint and private DNS zone links; include logging and tagging as part of automation.

9. Monitor and alert on private link state and DNS failures

Alert on Private Endpoint health, Private Link connection state, and DNS resolution failures from test VMs or synthetic probes.

Portal: Monitor > Metrics > select Private Endpoint resource or Network Interface metrics; create Alert rules for unhealthy states.
Use Log Analytics to collect DNS/NSG logs and create scheduled queries to detect anomalies.

10. Audit and review connections regularly

Maintain inventory of Private Endpoints and Private Link Services; review owners, expiration, and usage periodically.

Automate inventory using Resource Graph / Az CLI / PowerShell to produce scheduled lists of PEs, owners, subnets and tags.
Run quarterly reviews requiring re-approval or removal for stale or low‑usage connections.
Integrate PE ownership into identity governance processes (access reviews) to keep owners current.
Flag and investigate anomalies such as PEs in unexpected subscriptions, regions or resource groups.
Ensure Activity Log and diagnostics retention meet compliance and forensic needs for PE operations.

Azure Portal exact clicks reference

Concise where-to-clicks for common Private Endpoint / Private Link tasks

Create Private Endpoint to a Storage Account

Storage Account > Networking > Private endpoint connections > + Private endpoint > Basics: Subscription/Resource group/Name > Resource: Microsoft.Storage/storageAccounts > Select target storage account >
Resource target sub-resource (blob, file) > Next: Resource details > Virtual network > Subnet > Integrate with Private DNS zone (Yes) > Create.

Approve Private Endpoint connection (service owner)

Target resource owner: Resource (e.g., Storage) > Private endpoint connections > select pending connection > Approve (optionally provide connection approval message) > Save.

Create Private DNS zone and link to VNet

Private DNS zones > + Create > name (example: privatelink.blob.core.windows.net) > Create > after create: Virtual network links > + Add > select VNet > Auto register records (on/off) > Create.

View network interface for a Private Endpoint

Resource groups > select resource group where PE was created > find network interface resource (prefixed with 'pe-') > Overview shows private IP, subnet, and NIC settings.

List Private Endpoint connections on a resource

Resource (Storage/SQL/Key Vault) > Networking or Private endpoint connections blade > view pending/approved connections and their requestors.

Useful PowerShell commands

Az PowerShell examples to create, inspect, and manage Private Endpoints and Private Link resources

# Login and select subscription Connect-AzAccount Select-AzSubscription -SubscriptionId "YOUR-SUBSCRIPTION-ID" # 1. Create a subnet for Private Endpoints (if not existing) $vnet = Get-AzVirtualNetwork -Name "vnet-prod" -ResourceGroupName "rg-network" Add-AzVirtualNetworkSubnetConfig -Name "pe-subnet" -AddressPrefix "10.4.5.0/24" -VirtualNetwork $vnet | Set-AzVirtualNetwork # 2. Create a Private Endpoint to a Storage Account $pe = New-AzPrivateEndpoint -Name "pe-storage-prod" ` -ResourceGroupName "rg-network" ` -Location "eastus" ` -SubnetId ($vnet.Subnets | Where-Object Name -eq "pe-subnet").Id ` -PrivateLinkResourceId (Get-AzStorageAccount -ResourceGroupName "rg-data" -Name "mystorage").Id ` -GroupId "blob" # 3. Get Private Endpoint connection requests for a target resource (service owner) Get-AzResource -ResourceType "Microsoft.Storage/storageAccounts" -ResourceGroupName "rg-data" -ResourceName "mystorage" | Get-AzPrivateEndpointConnection # 4. Approve a pending Private Endpoint connection (service owner action) $pec = Get-AzPrivateEndpointConnection -ResourceGroupName "rg-data" -ResourceName "mystorage" -Name "pe-connection-name" Set-AzPrivateEndpointConnection -ResourceGroupName "rg-data" -ResourceName "mystorage" -Name $pec.Name -Status Approved -Description "Approved for prod access" # 5. Create a Private DNS zone and link to VNet $pdz = New-AzPrivateDnsZone -ResourceGroupName "rg-network" -Name "privatelink.blob.core.windows.net" New-AzPrivateDnsZoneVirtualNetworkLink -ResourceGroupName "rg-network" -ZoneName $pdz.Name -Name "link-prod-vnet" -VirtualNetworkId $vnet.Id -EnableRegistration $true # 6. Get the NIC and private IP for a Private Endpoint Get-AzNetworkInterface -ResourceGroupName "rg-network" | Where-Object { $_.Name -like "pe-*" } | Select Name, IPConfigurations # 7. Remove a Private Endpoint (consumer side) Remove-AzPrivateEndpoint -Name "pe-storage-prod" -ResourceGroupName "rg-network" -Force # 8. List all Private Endpoints in subscription Get-AzResource -ResourceType "Microsoft.Network/privateEndpoints" | Select Name, ResourceGroup, Location # 9. Query Activity Log for Private Endpoint operations Search-AzGraph -Query "ResourceContainers | where type =~ 'microsoft.resources/subscriptions' | join kind=inner (Resources | where type =~ 'microsoft.network/privateendpoints') on subscriptionId | project name, id" # 10. (Optional) Use CLI command equivalents if preferred # az network private-endpoint create ...

Replace placeholders and names with your environment values. Some commands require specific API versions or module updates; ensure Az module is up to date (Update-Module Az).

Diagnostics, monitoring and validation

Detailed topics and actionable subitems to validate connectivity and monitor health

Validation

DNS resolution: run Resolve-DnsName / nslookup for the service FQDN from VMs and AKS nodes; confirm A records point to PE private IPs and note TTL values.
Connectivity checks: use Test-NetConnection (PowerShell) or nc/curl from Linux to verify TCP/UDP ports and TLS handshake behavior to the private IP.
End-to-end application test: exercise a representative application flow that uses the PE (read/write or API call) and validate success and latency against baseline.
Cross-VNet and peering validation: from peered VNets, validate name resolution and connectivity, ensuring no UDR or NSG blocks exist between VNets.
Automated post-change validation: include these checks in deployment pipelines so DNS, port, and app flow tests run after PE creation or approval.

Monitoring

Private Endpoint metrics: collect PE and NIC metrics (Bytes in/out, connection counts, throughput) into Log Analytics and create dashboards.
NSG flow logs: enable and export NSG flow logs to a storage account or Log Analytics; create baseline reports and alerts for anomalous flows to PE NICs.
Private Link state alerts: create Azure Monitor alerts for PrivateEndpointConnection state changes, NIC health, and "Unhealthy" status with runbook triggers.
Capacity alerts: monitor PE-subnet IP utilization and set thresholds (e.g., 70%, 85%) to warn before exhaustion and trigger capacity planning workflows.
Retention and tagging: store diagnostics with appropriate retention for compliance and tag telemetry sources so alerts map back to owning teams.

Auditing

Activity Log capture: route Activity Log events for Private Endpoint operations to Log Analytics and/or Event Hub for centralized auditing.
Approval audit trail: ensure every approve/reject action includes approver identity, timestamp and an approval comment stored in logs or a CMDB.
Resource Graph inventory: schedule Resource Graph queries to produce daily snapshots of PEs, their owners, subnets, NSG associations, and tags.
Config drift detection: compare IaC desired state vs. live resources and alert on differences (missing tags, wrong subnet, altered network-policy settings).
Compliance reports: generate periodic reports (CSV/PDF) for auditors showing approvals, owners, retention windows and any exceptions to private-only policies.

Synthetic probes and distributed checks

Multi-location probes: run scheduled DNS and connectivity probes from multiple VNets, zones, and on-prem DNS resolvers to detect regional DNS or routing issues.
Probe types: include DNS resolution, TCP port open, TLS handshake, and light API transactions to validate both network and application layers.
Probe ingestion: send probe results to Log Analytics with structured fields (timestamp, sourceVNet, result, latency, error) for trend analysis and alerting.
Health scoring and SLA checks: aggregate probe results into a health score per PE and trigger escalation when score drops below threshold over N intervals.
Failover simulation: use scheduled probes to validate failover paths (if present) by temporarily simulating a failure and confirming alternate routes or endpoints work.

Playbooks, runbooks and incident response

Standard runbooks: author runbooks for common PE incidents (pending approval, stale DNS, NSG block, IP exhaustion) with exact commands and rollbacks.
Automated remediation hooks: wire Runbooks or Logic Apps to alerts for safe automated fixes (e.g., restart DNS service, re-link Private DNS zone) with approval gates.
On-call procedures: document triage steps, owner contacts, required logs to collect and escalation paths for incidents affecting private connectivity.
Post-incident reviews: require a blameless RCA with timeline, root cause, remediation, and policy changes; record outcomes in the CMDB or ticket system.
Regular drills: schedule tabletop and live drills to exercise runbooks and verify that probes, alerts and playbooks work end-to-end under simulated failures.