Share your own service securely

Overview:

Microsoft Azure now gives us the option of creating our own workload and sharing it with the wider audience as a service securely – using Azure Private link Service.

Azure Private link gives you the capability to access private endpoints over private peering or VPN tunnels from on-premises or peered virtual networks

Private Link – Access from On-prem and Peered Networks

Sharing your own service:

Azure Private Link service is the reference to your own service that is powered by Azure Private Link. You can create your own service behind a Standard load balancer and enable Azure Private link access so that everyone can access the service privately from their own vnets by creating a private endpoint and mapping it to your private link service. A sample workflow to visualize:

Azure Private Link Service – Workflow

Your Private link service provides with an unique alias which can be shared with consumer’s of your service. Consumer’s can create a private link connection using this alias. Private link service gives you the capability of:

  • Private endpoint connections – This will list the private endpoints connecting to your Private Link service. Multiple private endpoints can connect to the your Private Link service and the you can control the state for individual private endpoints.
  • Access security – Gives you the capability of determining how your private link service will be consumed. You can choose to limit the exposure of your service to subscriptions with role-based access control (RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions.
Private link service – access security

IAC Patterns for deployment:

ARM Code Block:

ARM Example

Terraform Code Block:

Terraform Example

Few Important points to note:

  • A NIC is created along with private link service to manage the lifecycle of this resource, it is not manageable by the customer.
  • Private Link Service must be deployed in the same region as the virtual network and the Standard Load Balancer
  • Single Private Link Service can be accessed from multiple Private Endpoints belonging to different VNets, subscriptions and/or Active Directory tenants. The connection is established through a connection workflow
  • Multiple Private Link services can be created on the same Standard Load Balancer using different front-end IP configurations. There are limits to the number of Private Link services you can create per Standard Load Balancer and per subscription. The limits can be found here.
  • Private Link service can have more than one NAT IP configurations linked to it. Choosing more than one NAT IP configurations can help service providers to scale. As of today, service providers can assign up to eight NAT IP addresses per Private Link service.

References:

Azure Private Link

Azure Private Link Service

Authors