Follow US:

Practice English Speaking&Listening with: Azure Networking - #11 - Azure Private Link

Difficulty: 0

one of the things that we have to stay on top of constantly in IT is security

now this is of course true in the cloud as well and in Azure our basic layer of

security revolves around our virtual network each network in Azure creates a

isolation but over time it has grown more and more complex in the cloud so

we've had to add more and more services to accommodate for it and as the world

extends from I as into path services we need to be able to link the two together

in a way that's going to give us that layer of security that we need and we

don't have issues like data exfiltration so we're going to talk about network

security for a little bit here as we Zone in on a sure private link

I'm Dean Cefola and this is the Azure Academy so there's a lot of services

that we need to cover so you can understand how private link fits into

the ecosystem of azor so let's jump into our Docs and get started

so in our Docs page we'll go to products and then go down the table of contents

to networking and then at the bottom here we see private link and in the

table of contents here we'll click this link for what is private link so this

diagram is gonna help us out here we have platform-as-a-service items in

Azure this is things like Azure database or cosmos database key vault as your

storage etc and all of these services all have internet-facing

endpoints so when you want to talk to Azure storage you're actually

communicating with the internet endpoint of that storage after some feedback from

customers we found that everyone wanted a secure way to get there from Azure

directly without having to go down and around out through the internet so we

came up with a technology that's called service endpoints and that is something

that you set up on your virtual network for every subnet that you want to have

doing this and you can have the service basically hairpin the traffic through

Azure secure network address translation to go to the service it still hits the

public facing endpoint but it does so from Azure directly on our backbone

private link is different it actually takes that service and projects a

virtual network card inside and you get a actual IP address and that in this

case is --tz-- this Azure service so when I want to hit this Azure

service now I can't go to the public internet endpoint the only way to get

there is from this internal network IP address now that works out just fine in

normal Azure routing because my spokes know how to route to it my on-prem knows

how to route to it all I have to do is hit this private IP address and I get to

that service so let's take a look at this inside the azure portal so in the

portal at the top here we're gonna search for the word private and then

we're going to click on private link so this is the private link Center and then

down at the bottom here we've got three different options

to help us get started this first one would be to connect to existing

resources with a private link build new resources with a private link or expose

resources so that others can get to them now when we do this they must be behind

a standard Azure load balancer we'll get into all three of these scenarios and

over on the left side we've got our pending connections this will become

more important in a few minutes our private endpoints themselves the private

link service and then the different resources that can be enabled at the

moment and more of these will be coming over time so let's start building

so our first start button here is to build a private connection to resources

that already exist so let's start there in my subscription I'll select my

resource group where I've got my stuff and then we'll give it a name and I'll

call it private key vault 0 1 we'll go to the resources and then we'll select

our resource type of a key vault and then we'll select our key vault that is

in the private link resource group which is called private vault

0:01 this sub resource is the specific kind of resource that this private

endpoint will be able to access in this case a vault and then we'll hit next for

our configuration and we have to now attach it to a subnet in a virtual

network so I'll use my DMZ subnet for this and now we have a additional option

where we can integrate this with Azure private DNS so if you choose not to you

just toggle this to no but I'll leave this on yes and it's going to spin up a

new zone for us called private link dot vault coronet we'll hit next and add the

appropriate tags and we've added one for our cost center so we know who's paying

for this our application here is private link we're in a lab environment and

we're doing this for the IT department and we'll hit next and we have the

ability to review what it is that we're going to create and we can also check

our arm template to see what that all looks like and we have three resources

that will be provisioned here and you can save that template for later use and

we'll hit create

in the private link Center let's see what we've got so we've got a new

private endpoint here or our key vault and if you click on that it takes you to

the private link directly and then under our particular kind of resource we go to

key vault and we can see our vault here in which we can click on and get into

the vault itself so back in the overview screen let's go to the second Start

button here and this will allow us to provision resources with the private

link enabled so let's provision in an address equal database and we'll put it

in a resource group of private link and we'll give it a name and we'll call it

private sequel DB 0 1 and I'm creating a new sequel server for this and I've set

the compute to be service so hit next and now we have our network access and

our options here are no network access turn on our public endpoint or use our

private link endpoint it will add the private endpoint here and I'll just call

this private access 0 and for our sub resource type we only have the choice of

a sequel server and we'll put this on our DMZ as well and we'll create a new

DNS zone for this as well and it'll be private link database that windows net

well hit OK and then we'll hit next and we'll just leave our additional settings

as default and go to our tags and our cost center is here so we know who's

paying for this it's a private link application in the lab and this time our

business unit is for the accounting department and we'll hit next and then

of course we can review our arm template as well you can save that one for

yourself and we'll hit create or a sequel server has finished building

and we have the same types of resources at it now we've got our network card

that has our IP address our private DNS zone a private endpoint and of course

our sequel server and sequel database so let's go back to the private link center

and under our private endpoints we can see we've got our sequel our key vault

and in the background I added one for our storage account around Azure files

and they're all located in that DMZ subnet and then of course we can look at

each one of them here individually just like we did the key ball so that's going

through and provisioning private link on top of resources that already exists or

creating new resources with private link enabled and that brings us to the third

and that is to expose services of our own that private link can use and this

does need to be behind a standard load balancer and this is where we're going

to get into the private link service and pending connections so let's see how

this goes so we need to provision a resource again in our resource group and

we'll put that in the east us and we'll hit next for our outbound settings and

here's where we select our load balancer and then our load balancer front end IP

as well as the NAT information and we mouse over the tooltip here so the

subnet where the NAT IP will be allocated to your service so we want

this in the DMZ and in this next section for the private IP allocation we have

the option of setting static numbers of IPs or we can let this be dynamic in

allocation it depends on what kind of service you're hosting here as to which

path you would choose I'm doing a website so I don't know what the number

of connections is going to be so I'll leave it at dynamic and we'll hit next

for our security and now we have to decide how our consumers will be getting

access to this so we can do this by our back or by anyone using my alias or I'll

be choosing this one because it gives me the option to control things at a

subscription level as you'll see in a second so we need to add our

subscriptions that we want to give access to here and if you have multiple

separate them by a comma I've added three subscriptions here and we'll hit

OK and even though I entered all

subscription IDs because my login is directly tied to these two subscriptions

it resolves their names now I'm going to set this subscription where I'm hosting

the service to Auto approve but these other two I'm going to not Auto approve

so we can see what both experiences look like and we'll hit next and then we need

to add our tags and the unique one here is we've created a new business unit for

the sales team and we'll just hit next and you can review everything on the

list and also look at our arm template which we'll do because this is something

different so the resource that we're provisioning here is the private link

service and that will then add explicit visibility to my private link endpoint

to these particular subscriptions with this one in particular being set to auto

approve and then it gives us our load balancer config that we entered and then

updates our as your subnet here to build our new private link just like we did in

the other ones so we'll hit create - back in the private links Center we've

got our private link service now set up here and if we click on that the

different items that are here so we've got our private endpoint connections we

don't have any just yet what our current net configuration is and what our access

policies are if we need to change those and we also have up here the alias and

this is important this is basically the token that we give to somebody which is

going to give them access to our service so now that we've set up all these

things let's get to see them in action so we start off with our private link

service and I've got a VM that's up and running so I'm in that third

subscription that we added and I've got my virtual machine here in another

resource group also called private link and I've built myself a virtual network

where my resources are set up and you can see our address space here is 100 0

dot 0 dot 0 we've got our VM here with a dot 68 IP address and if we look at the

private link center and we go under our pending connections we don't have

anything private endpoints private service link nothing in this environment

is set up at present I'm logged in here through Azure Bastion and my VM that's

hosting the web server is 12.0.0 dot 68 when I open my web browser to that

address you can see that here is my website so I'm on 12.0.0 dot 68 so let

me see if I can reach that from my other VMs environment I'll open my web browser

and go to 12.0.0 that's 68 and you can see this does not work now I know you

might be thinking well it's because the V nuts aren't paired together so you

can't get there well this is exactly the point because this particular VM where

I'm hosting the web server does not have a public internet point at all so it's a

private service not hosted off the public Internet hosted behind private

link in Azure so I can't get there but if I use the private link service I can

back in the private link center where I have my private service set up I'll copy

my alias and I'll give it to my customer who I want to have access my services

and I'll go to create a new private endpoint and I'll put that in my private

link resource group and given a name and I'll call it service I want to use and

hit next for the resource and here is where I select a resource ID or alias

and I can paste in the alias that I got from my vendor and then I can write a

message here and then we can hit next and then we have to give this a place on

our network and we'll do that in our DMZ and then we'll hit next and add the

appropriate tags and to keep it simple we'll just add a customer money cost

center tag and hit next and then we'll hit create

back in our customers private link Center we go under private endpoints and

here is our target endpoint and if we click on that this is an actual private

endpoint in our subscription that is currently awaiting approval so let's go

back to our private link center in our primary subscription and approve it and

if we go under our pending connections here it is and it is awaiting approval

so if we click on this and we can hit approve here which will then allow the

service to have access and now that that's been approved it disappears here

from our pending connections but we can find it under the private link service

and there is our private link endpoint connection and we see here that our

status is currently approved this service is ready to use if we do want to

get rid of this we can click on the check box here and hit reject or remove

depending on what state we want that in and let's look at the customer

experience and on the customer side we see that our state is now approved as

well so now in order to connect to this we have to discover what our IP address

is for our private link and that shows here as 100.0 that's 0.4 so we're logged

on to our Windows VM again and this is the VM in our consumer environment and

you can see that from our IP address here of 100 0.02 68 and the name of our

VM is consumer BM 1 we want to connect now to our private link service so we

can't use this IP because that's inaccessible to us we can use the IP of

our private endpoint in our consumer environment and that was 100.0 that's

0.4 so let's change our IP here and I'll make this fullscreen and let's run that

and there we go we are now looking at private VM 1 as your rocks so that's the

private link service but now let's take a look at the other two scenarios so one

of the services that we spun up earlier was our sequel server and we want to

take a look at what this guy is doing and we'll go to our sequel database and

in the database we'll go to our connection strings so we want to just do

a test here so we'll do it quickly over ODBC and I've already downloaded the

driver and this is my DBC connector on my local system and

have already made an entry here named it private sequel and the description is

private link and we're going to connect to our a sure sequel database and we

click Next and then I have to provide my credentials for sequel off and then

we'll click Next and so I'll check the box here to find the default database

and when we do we get a connection failed error because we can't

communicate with this now I do know the name of the database from online so I'll

just put that in here anyway so we'll hit next

we can leave strong encryption enabled and just hit finish and then test our

data and our connection fails again so we cannot connect to our Azure sequel

from here but from our bastion host through our private link and we'll run

the same ODBC connection from here and going to the same server and I'll put in

the creds and we'll hit next and there is our database that I've already put in

if I hit the drop down arrow here it doesn't complain we can see the master

and the primary database and so I'll finish and test my datasource and the

test is completed successfully so we can get to it over our private link so in

our private link Center we had a Azure storage account that was set up I'll

open that and I'll go to the file share and I've got a private share here where

I've got a couple files and we'll go to click the connect string I'll copy this

data and open us up in PowerShell so here's my Windows File Explorer on my

local computer and I do not have a map network drive setup we're gonna map this

to the z drive here so if I try to go to the z drive it says that it's not a

valid name and then I can run these commands and it still does not work but

I can go back to my bastion host and again just to show you that we do not

have a map drive on this machine and I'll check it again through here and

note that Drive does not exist but I can run this command and now the drive is

mapped and I can get to my files the hope that you've enjoyed looking at this

video on Azure private link how we could make our Azure services seem like

private endpoints within our environment to make them more secure

and we can also provide those services to our customers and other consumers as

a way to increase your network security and also be able to leverage those past

services so if you thought that this video was good please do click on the

thumbs up and click on the subscribe button while you're down there and join

us here at the Azure Academy community and that does a few things it basically

lets the YouTube algorithm know that you're interested in our content that

you like it and it should be shared with others it also helps us out and it lets

us know that you appreciate what it is we're doing here is we just try to help

you all learn more about azor and if you have some comments about this video or a

suggestion for a new topic please give me some comments down below on that and

this video was requested by several members in our community so thanks very

much for your feedback and please let us know what else you'd like us to create

for you and we'll be happy to do that thanks very much for joining us and

we'll see you in the next video happy learning

The Description of Azure Networking - #11 - Azure Private Link