Azure Private Endpoints (Private Link) with services like App Services, SQL, and Storage Accounts

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello world and welcome to this edition of tech on fire with blaze i'm blake stewart architect and winelight and today we're going to be looking at azure private endpoints or sometimes called private link for connecting to azure resources over a secure connection that is completely private on microsoft azure [Music] [Music] hi guys today we'll be talking about private endpoints on microsoft azure now private endpoints on microsoft azure are a fairly new development on the azure platform within the last year or year and a half or so and this is a really cool technology that allows us to use traditionally platform-as-a-service resources as part of private v-nets and what this allows us to do is have a better security platform on azure without having to use the public internet to access many of the traditional platform as a service resources on azure so what this basically does is takes a resource say a sql database and on azure sql and it allows us to expose that azure sql database as a private ip address that is addressed as part of a cider block within the context of our azure vnet and then resources can connect to that private ip address to access that sql database a vm on that vnet can connect to that sql database by way of that private address rather than having to go to the public endpoint that has traditionally been a part of that sql database that is how it was accessed in the past it also means that we can access that same sql database over a vpn so if i expose a vpn by way of something like an azure virtual network gateway and then i go from my local machine over that vpn into the vnet then i can take that ip address and plug that ip that private ip address into a client that is on my local machine on my local network it could be my home office or my corporate land and i can then connect to that azure sql database over the vpn through a private vnet without ever having to leave the confines of a secured network that i have 100 control over and that is completely encrypted end to end so this has huge security implications for many of the traditional platform as a service resources on azure so for the demos today what i'm going to be doing is setting this up for several the popular platform as a service offerings on azure i'm going to be looking at storage accounts app services and sql databases we're going to be setting up a couple of private endpoints for these and then we're going to take those and connect to them over a vpn that have already configured on azure and then we're going to use the tooling on my local box here to connect to those resources and then we're going to be able to manipulate the resources in a private manner without having to use the public internet to do that okay i'm here in the azure portal and i've already connected to this virtual network gateway that i've created here i've configured the connections and i should have the connections show up here already point to point to site configurations and there is the current uh allocated ip address that i have for my particular connection here this is a point to site so this is war the like a road warrior vpn here and i've connected to this this isn't using the point site to site vpn i'm just using a point-to-side to connect to this because this is a single box that's connecting up to my azure environment so i've got my vpn set up and everything is good there so now i need to go about creating the private endpoints for my uh given resources here i have a sql server i have an app service and then i have a couple of storage accounts here i'm using this private storage account here so let's first look at the storage account right here so to set up a storage account or any resources really what i need to do is i need to come down here and find the uh private endpoints that is going to be somewhere in this blade here on the left and this is where it's going to be somewhere on here now it might be under a networking tab it might be somewhere else you just kind of have to dig around for it but any case this one is going to show up right here under private endpoint connections so if i wanted to create a private endpoint connection i find this resource in whatever i am looking for here and i go at a private endpoint here and what this is going to do is actually create a resource that is a new resource and i'm going to put it into the same resource group that i have already created and i make sure it's in the same region as well i'm using west u.s right here and i'm going to call it as blaze storage endpoint or something like that this is called ep for short blade storage endpoint and the resources that i need to choose for this are going to it's going to choose i'll force me to choose a type resource type that is and i'm going to be using storage accounts for this particular resource and you kind of go through this and you can sometimes filter it like this and there it is right there storage accounts and uh choose from my directory and then you go to the resource right here and you find the particular storage account you want to use this is the one i want to expose and then i'm going to use blob storage now for a blob storage account i would have to say blob here if i was doing table storage or cues or files and i have to choose that subtype as well but in this case i'm using blob storage and this is going to create a private endpoint for blob storage and so you would have to create a private endpoint for file storage if you're going to use that and so on uh configuration here is basically going to ask me what my virtual private network's going to be i'm going to use this same one and i have uh this a couple of subnets here got a gateway subnet i've got this endpoint subnet this is the one i want to put it on and then notice what it's doing down here is setting up a private dns zone the reason why that you need a private dns zone is so that resources on your azure v-net can find this resource by a host name and if i was going to be doing this on my virtual private network that is my vpn that's local in order to access this resource from a vpn i could either do it by the ip address but i would need to also configure some kind of dns solution that would take the host names that are typically going to be associated with something like a storage account that is going to be resolved against the public internet and insert those into my dns solution on premise that could be a dns server that could also be a host file if you're doing it in dev i'm going to use my host file today to do this but if you had a dns server you could definitely do that it also provides another one called private link.blob.coordinwinds.net and this private link right here is the host name that is for the private link that we're going to be setting up here or the private endpoint and so it's traditionally been called private link or private endpoint and those are sometimes used interchangeably so i'm going to set this up and then i'm going to review and create and go ahead and create this private endpoint for my storage account and then we'll go and do the same thing for our sql database and our app service back here inside of my resource group and i now want to set it up for my sql server that i have here now you do this at the secret server level you don't do it at the database level so that's my other endpoint just deployed successfully let's go here into my sql server here now this is where i configure the virtual server for my sql server resources that i'm putting into this so uh you would have a database that's associated with a virtual or logical server that you want to manage all those databases with and so this is where i'm going to be setting up my private endpoint so i'm coming over here under security and that's where this one is located and i'm going to again create a private endpoint just like we saw a minute ago and we call blaze sql ep and i'm going to put it in the same region as my resource that i just have there west us and i'm going to click next resources i need to go find the resource type i can type in sql right here and i need to find the sql server that one right there and the resource is that one and the subtype of course is going to be sql server and the vnet i'm gonna put this on i'm gonna put on my same vnet uh my endpoints vnet there that i have already created that's a subnet on my virtual private network here and let's go ahead and create a private link for this one as well so notice i have private link.database.windows.net and let's go ahead i don't need tags and let's create this one for sql server so again very simple to do looks a lot like the one that we just saw but let's go ahead and uh wire up one for our app service deck as well and this one is a brand new one that just gade recently so it is a pretty cool feature it's one that people have been asking for for a long time so i'm here inside of my resource group again and i want to go into my app service that i'm going to be configuring for this now the way to configure this one is to go down to networking and click on this blade now there's a lot of other options in here for configuring vnet integration and hybrid connectivity and these kinds of things with an app service and these were some more traditional approaches for doing v-net integration with app services the difficulty a lot of these had though was connecting these to a virtual network that could be accessible over a vpn and this wasn't possible until they added this private endpoint connection right here so if you're really wanting to create an app service that is accessible over a vpn the in private endpoint is the way to do that these other ones will allow you to create a private endpoint that can be that is accessible uh from other resources that are on azure but accessing it as a private endpoint that is like a private ip address that can be treated like a normal resource on a v-net wasn't possible until they added this guy right here so let's go ahead and add in the private connection for this one and it's going to look a lot like the other configurations that we've done already and so i'm going to call this app service ep and this one is going to use the same subscription same virtual network in this case right this one right here plays virtual private network i'm gonna put it on my endpoints uh subnet and then i'm going to create a private dns zone for this that i want to create for this and then i'm gonna click ok and this is going to create the private endpoint for this particular app service now the creation of the other endpoints you saw i had to actually choose the type of resource i was connecting to this one and that was the case for those resources so the private employee connection configuration is going to look a little different for each resource but in the end they end up being the same thing and it's just an ip address on your v-net so let's wait for this one to create and then we'll go look at the actual subnet that contains these and we should be able to see the private addresses for all of our resources that we've created in points4 so i'm here inside of the virtual network that i have created for this particular demo and you can see here i have connected devices of course i have my virtual network gateway for my vpn connection but i also have here these nicks that are for the private endpoints that i now have as a part of my network as well notice what i have here i have my storage nic i have my sql nic and i have my app service nic and they're all in this address space 10.2 16. and these are on that subnet that i created for my endpoints so if i come over here to my subnets this is the actual subnet that is for the endpoints that i wanted to create this is for my vpn and uh and this is my gateway subnet up here and so that is the configuration of this particular network but in any case i don't have any nsgs that are filtering traffic for this so i don't have anything that's really going to filter out any of the ip packets or anything like that's going to be reaching this so this is basically just going to allow me to reach this by way of my vpn so let's go ahead and configure what i need to make that happen which is the dns for each of these on my local environment here which i'm going to be using a host file for if i was doing this in a dev environment that'd be fine but if i needed to do this for a more production oriented environment such as a network that i wanted to create a site-to-site vpn for an express route i'd probably want to put these into a dns server or do some kind of configuration where i have a server that is on azure that is going to be a dns server there that does some kind of forwarding to the azure dns resolution so that it could use those private endpoint names that i have configured in those private zones or i could just manually enter them into my dns solution on premise which is what i'm going to do today so let's go and look at how i'm going to do this with a host file and then we'll get some client software up to connect to all of these various resources right here as i mentioned configuring the dns is an important part of doing this particular configuration because dns for endpoints is going to be needed for anything on premise accessing this over a vpn you'll have to figure out the dns solution that's going to work best for your environment but because this is a demo environment or dev environment i can use the host file on my local box here for my name resolution so on windows it's windows system32 drivers atc and then you have your host file here i'm going to pop this up in notepad plus plus and i have a i have a bone stock post configuration file here a host file and this is the default one because this is a fairly new install i don't have anything in this file so let's go ahead and configure this and see what this might look like for my particular endpoints so if i come into my endpoints the first one i'm going to configure is the one for my app service and that i have here now this is just going to give me the fqdn the fully qualified domain name for the app service and i can paste that in right there and then i'm going to grab the ip address just a caveat for this one though for an app service because app services are http based one of the best practices for this would not to be doing like i'm doing here and that is taking this record right here blaze.web.azurewebsites.net and pointing it to the private ip address rather you would want to and the same goes true for this particular item right here uh you would want to use um a dns record as a c name from this and the c name would be notice this is an administrator mode sidebar here you need to be in administrator mode to save a host file on windows or or have the appropriate permissions on a mac or linux box uh but in the case the format for these host files is identical regardless of the platform so go back to our regular schedule programming where i was talking about cname records because this is a host file i can't have cnames in the host file but if i was going to do this in a production environment i would need to create a cname record that corresponds to the dns zone right here so if i open this up notice i'm going to get something that looks like this i'm a private link.azurewebsites.net i would create a private link as the link right there i would have my host that looked like this and then of course the blaze.web app as i prepended right here this would have an a record associated in my dns solution and the a record would point to my ip address then i just create a cname record right here that points to this particular record as well and that's generally considered a best practice for app services that are using endpoints in this manner you can code it right to the ip address but the best practice is to use the a c name that corresponds to an a record that has the ip address associated with the private link instance of your particular host name that is going to correspond to the actual um private dns zone record that we already have in azure but any case this is aliased not a this is got a cname record for this if i was going to do a more production oriented um dns entry i'd create zones and that would have cname records and so on but because i'm using a host file i need to point these all to the private ip address for app services but the the ones for the sql instance and the app service instance are going to be pretty much the same as just doing a straight a record against the actual host name that is provided to me as part of my private link i'm not going to be looking at the private link here i'm going to look at the private endpoint for my storage account so here i have blaze storage.blob.cor.windows.net and this is going to be this ip address right here and that's for storage account and if i was doing this for something you could do a a hostname that is using a cname record and a dns server for this particular uh one against the private link for blob storage however using something like smb or other protocols you probably just want to use an a record and you point the a record directly to the actual ip address that is provided as part of the private endpoint that we're looking at right there and then the same thing for sql sql especially because sql doesn't play nice with cnames it likes to use a records so if i'm going to do sql i need to have an a record defined for my particular name in whatever dns software i'm going to be using our dns solution so that i can resolve this hostname against the actual private ip address that i'm going to be using as part of my endpoint configuration for whatever environment i'm doing here in any case i've got this configured now i have my host all set up inside of my host file again this is a dev environment this is a demo environment i wouldn't do this for production but i would still do something similar to this for a production oriented environment and where i'm using an actual dns server so just to validate that i've got everything going well i'm going to pull up a command prompt here and i'm going to do flush dns just so i can flush out that those dns records that might be cached and now i'm going to do a resolution against this let's just do ping and that will tell me if i'm hitting that private endpoint uh and it's doing 10.2.1.6 it's not going to come back because you can't ping an app service but the the ability to actually hit that and know that i'm actually hitting the private endpoint is what i was after here so with that i should be able to pop up a browser right here and uh connect to this in a browser because that's the client software for an app service right so if i go https right here and um i should just get a splash page right here not need to go https colon slash like that and this is just giving me the default page for this particular app service environment here so i know that's hitting the actual private endpoint because the name resolution came back to that private endpoint that we saw so this is accessing that now over a vpn so this is not traversing the public internet this is in fact going over my private network that is on a vpn going back into azure over vpn and then connecting back up to that actual app service over the vpn so let's connect up sql server management studio to my sql database and then we'll connect azure explore up to my storage account and make sure that's all working fine and good as well okay now let's pull up my sql server instance and let's get the credentials and stuff that i need for this so here's my server name and here is my server admin so i'm going to launch sql server management studio so i'll launch this app it'll take just a second to pull up because it's a fairly heavy application and once this launches let me pull it over here to the login screen i've actually already configured this one it looks like so let's copy the you get the server name right here and just to show you that this isn't smoke and mirrors let's come over here and do it's just it won't ping but it will show the ip address for this particular host name right here as i got 10.1.10.2.1.5 so i know that is going to my um vpn it's going to connect to this sql server database over the vpn and i'm going to plug that hostname in right here and the admin is blaze and then i'm going to put in the password that i signed when i created this database and i'm going to connect to it now let me pull the actual database over here into view so the instance of sql server management studio and here i am now connected to my databases and there's my private db that is a part of my sql server virtual server that i created with a private endpoint and now i'm accessing this as a just a standard azure sql database over my vpn now using a private endpoint and a vpn so again very straightforward for sql it's not hard to do this one the the trickiest one in my opinion is the app service one because you have to figure out the the cname records and the a records that you would want to use for that but in case this one is just you know straight hostname to ip correlation and once you have the private connection set up you should be able to access this guy without any problems over a private network assuming that you don't have any firewall issues and that kind of thing so let's go over to storage explorer and see how a storage account works okay for my storage account demo i'm going to take a look at this one i created my endpoint for right here and to do this i'm going to use a sas url just so that i can show you that i am accessing this using a shared access signature and to do this i'm just basically so allow services uh that which is gonna be blob store storage i'm gonna say all the resource types in that all the permissions is fine for this particular demo just say from yesterday and uh let's just say for two years from now for that particular uh in expiry date and then i can set some iep addresses to allow forum but i'm just going to leave that blank and then i'm going to generate a uri here now the reason i'm using uri is because it's going to be using this hostname and i think this a minute ago just to make sure but i'm going to do ping again against that same host name and it's coming back to 10.2.1.4 which i know it's using a private hostname then and so i'm going to copy this and i'm going to launch storage explorer now storage explorer is a utility for browsing storage accounts on microsoft azure so the um the storage explorer looks like this and i already have all my storage accounts pulled up by my particular host name my particular login my azure login and so this one isn't going to be using that kind of connection it's going to be using a shared access token uri right here and i'm going to simply just use that particular option to connect to this and then i just call it the private storage and i'm going to plug in that that particular uri right there and then i'm going to click next and then i'm going to click connect and this is going to pull up my storage account right here and my local my storage account right here is going to be my private storage and it's going to be for blob storage and there's no no particular containers right here but if i create a blob container here i should be able to go my new blob or i could give it a blob blob cont or something like that and i can upload and download files into this blob storage account if i wanted to if i wanted to pick a picture or something like that i could find something on my particular storage account right here and then upload something into it let's just put into put this picture up there and that will create a new file on my blob storage account but this is actually doing this completely over my vpn now and this is accessing storage accounts by using that vpn so that i'm not actually accessing this over a public endpoint so you can see here i've done three different demos using private endpoints using a vpn to access these particular endpoints using three different kinds of software we use a browser to connect app services we use ss ms to connect to my sql server database and then i'm using storage explorer to connect to my storage account so very common resources using azure and we're accessing them now over a vpn using a private endpoint so everything is encrypted in the end rather than going over the public internet so really cool stuff here that we can use private endpoints for for utilizing resources in a very secure manner on azure if you like this content please consider visiting us online at www and there you can find about services that wineluck offers including training and consulting services also please consider subscribing this channel by clicking on the subscribe button and clicking the bell icon to get notifications when new content becomes available and also comment down below you can also follow me on twitter at the one mule and also follow intellect on twitter at winnelec now or at winnelect we are constantly posting things about hazard related technologies and things related to software development you can also reach us by email at consulting whenelect.com until next time thank you you

Info

Channel: WintellectNOW

Views: 7,284

Rating: undefined out of 5

Keywords:

Id: 8Zof54j8qWk

Channel Id: undefined

Length: 26min 0sec (1560 seconds)

Published: Fri Oct 16 2020