Azure Private Link provides
private access to services hosted on Azure. Traffic between
your virtual network and those services, travels over the
Microsoft backbone network, which eliminates exposure from
the public Internet. Narayan is here to show us how to connect
and deliver services privately on Azure. Today on Azure Friday. You can put your VMS in your own
private network. Sure and then you can just keep them
completely private not exposed to the public Internet at all.
No public IPS and you can extend that with express route so from
on premises. You can get to those VMS privately using those
private IP address is silly. But if you had to talk to an Azure
Pass service like storage account. SQL DB Cosmos DB, which
everyone uses exactly there also services they will have to open
up to the public IP address because those services are
shared services in Azure. And they are available over a
shared public IP address so this private link is now allowing me
to extend the security in the privacy to all services in
Azure, including app service and functions and logic app storage
accounts, not just VMS. Yeah, that is the goal is this, where
we're going to go. For now, we have it enabled for three of the
data services which is the storage account. SQL DB and
Cosmos DB. However, like you just said. We are going to be
extending this ability to fit all services as well. So you could just use private
connectivity to either talk to the VM S in your network or this
past service accounts that you have in your in your but today,
we're focusing on data, which is really going to be a good
stepping stone for people who are trying to migrate from their
on Prem data centers into Azure because moving the data, which
is sometimes the scary part. We can now do securely in privately
and still access that from one that's correct. That's awesome.
So somehow that architecture looks. So Yeah Alright cool. So
let's take a look over here right so on the right side. I'm just showing. A bunch of path
services that customers typically use right, I'll get to
the marketplace in a minute, but let's look at the storage SQL
SQL data values right right now. Sure, those are in your
subscription. You go to Azure. You create one of them in your
subscription on the left hand side now customers do create a
virtual network. They deploy the VMS. VM scale sets and all that
kind of stuff. They have an extra Stout Gateway and they
connect that to the on premises right and that part is working
like we said enough from on. Prem they come in X access the
VMS privately now look at that new element called private endpoint in there. That private
endpoint is now a mapping to one of the accounts on the right
side. So I could pick up a storage account that I had in my
subscription right and I do I create a new private endpoint
and map that account into my Vineet. So pretty much you're
bringing their storage into your virtual networks. Awesome and
then we take care of automatic DNS registration. So when you
look up that storage account now from your Vineet you will get
the private IP address back so now so all the VMS in your virtual network. And just
connect as usual, like before, no changes to the client
application. They look up storage account as they used to
do, but now they get back a private IP address so through
that private endpoint. They access the storage now on the
left hand on premises, too because, on premise well. They
look at the storage account. They can create a DNS entry to
point to the private IP then use their private connection secure
private connection through ER come to your vnet and then go to
storage services awesome. Yeah, this is been exciting 'cause
like I said, we've had it for VMS for awhile. Yes, well
there's so many other amazing services in Azure right. And
when you were trying to modernize your application.
You're actually trying to reduce your dependency on VMS and start
using the past services so having the ability to now keep
that private as well. This is going to open up so many
opportunities for our customers who are hesitating. Another
element of this exciting here is that the firewalls that
customers typically have in their on premises network is
going to get much cleaner because before this what they
had to do was punch in these holes in their firewall. To allow access to Azure public.
IPS is only then, they will be able to from their corporate
network get into Azure like a storage or a sequel, so they had
to open up. These firewall rules and there's always asking us
tell us all the IP address block so we can open it and then we
were like we can give you just one or 2. So here a big block of
everything that's Azure public. IP so they opened it up. Now
they don't have to do that their firewalls can don't have to open
up any public IP because they're going to get access to these services. Yeah, that proteins
are going to be Happy Now 'cause. They hate when we have
to do. Stuff like that, so this is all fantastic that is right,
cool another element, which I want to highlight which is kind
of unique and unique with the Azure offering is inbuilt data
exfiltration protection So what that is. So you may have many
storage accounts in your subscription rate, and some of
them could be corporate account. Some of them could be a person
like underneath your implied so from Thavenet, though you don't
want access to all of the accounts. You want to restrict
what this network corporate network and access OK. So when
we do. The private endpoint mapping. I'm only mapping a
particular account into the private IP address so I can't
use this private IP to go to my personal account. I see I see
very good, so use cases. Let's say there's an employee will
turn roll. It doesn't happen, but let's say it happens and then. He can't expect rate the
data right to his personal his or her personal account God
because the Vineet is going to say only allow access is private
endpoint and the private endpoint is only mapped to the
specific accounts that have been mapped out perfectly. So were
bout leaking data exactly disgruntled employees trying to
scrape data before they exactly perfect so this also secures the
network sure this is something that customers have been asking
for and for storage. We have done that through something
called service endpoint policies. Which is in preview
right now but this private endpoint feature right now?
Which is going to work for all path service is kind of provides
the inbuilt data exfiltration protection awesome and the last
thing we're going to show me was. I think some of the other
path services that are planning for the future. Yes, so we have
other path service for the future, and I pointed to kind of
also clarify another element over here with respect to what
we have and what private endpoint actually gives them so
like we discussed that we call this private pass sure because,
like in all past services are going to be. Coming under this
kind of an architecture and so on the left hand side. I'm
showing service endpoints because our customers. Viewers
are very familiar with this concept. Sure, which is already
in GA. And so the people may think what's the difference
between service end point and now we have private Lincoln
private endpoint? How do I make the difference out very simply
service endpoint is network security for storage. However,
the endpoint was still public IP address. We didn't make that private. I see which meant that
it was more like an actually mechanism, so from the Wiener I
can talk to storage still over public so from on Prem. I had to
still use Internet to come to storage. But once you landed on
storage storage can then say I'm going to allow you based on
which network you're coming from that was service endpoints. I
see but here. The endpoint is private so you don't have to go
through the Internet from on premises to get to storage.
You're going to take the private path that's the big difference,
so This is why. This is more secure sure more
private and that's why we had rolling this out for although I
still keep hearing. You talk about being able to clean up
your firewall and that's just going to be a really great.
That's great thing for both on premises as well as Azure. But
even in Azure. Your VMS now can be completely back end. VMS they
don't have to open up to any public IP on the outbound side.
They can only open up to win it. I'm going to show that perfect
can still access the path service awesome love to see it,
yeah, so let's dive in over here, so. I have I know in my
subscription. I've created this group and I've created a virtual
network and what I'm going to show right now is I'm going to
show creation of storage account and how just at the creation
time itself. You can make the account secure as kind of new so
let's go to storage and I'll create a new storage account. Will it be into that so? They've been together since
group, the Usuals just going to use. This isn't already have OK
call it storage secure storage account to have that secure
storage account too. OK let's do it in East US OK. And. OK understand there's now
here is a networking site and look at that it asks you for
connectivity method. You can either choose its public which
means which is what we've been doing storage for years now.
It's the default default right or you can make it specific to
only some networks right, which is more of the network
isolation, which service and wine or it can make it a private
endpoint. I guess you know what no just make the storage account
private once you select that is asking you for OK. Create a private endpoint, then
right then I created a private endpoint, then I can select
thavenet, now on which been at the storage account is actually
going to show up and got right so let me say this is a private
end .2 and point to the blob right, so I'm mapping each
account. There's a resource under storage. Blob tables,
yeah, so I pick up the blob resource and then I say OK let me just. Make it go into this,
Vineet OK and then it's asking me a subnet so let's say I put
it in the end point subnet. An then here is a key now we're
doing integrating with the private DNS zone. I'm saying
create the storage account also create a private IP address
mapping DNS site so and then it's going to do that and then I
say OK. The soldier is going to get created with no next to the
advanced to the other other elements of storage. Love you and create and do
a create right. 'Cause the only part that was
specific for the private network was that option. We just went
through exactly everything else is the same same got it, but now
this storage account will come up and by default. It's secure
right there's no way to access it from the Internet exactly
only the people that are on the subnet on the network that I
actually said they are going to even be able to see this
exactly, although it's kind of an access this and to show that
I've already created another storage account in ahead of time
just to show that you so. That's called this ignites in a
storage account one and now in this storage account if you see. There is a tab called private
endpoint connections and firewalls and venetz so these 2
are the security controls for the storage account network
standpoint if you look at firewalls and Nets it will
automatically come and say not all networks some only specific
networks but I didn't get any network either so which means
this is inaccessible at this point in time except for the
private endpoints I do have one private endpoint OK that's this
which I created from Ivy net so that's the only private endpoint
I can access the storage account OK. Yeah, and just look
through the blind further. I have a BLOB over here, so we
go into the BLOB. Ever tried to access the blob. I can access the reason is this
is just from a laptop right now, so this is public Internet. So
I'm trying to go to the BLOB from Internet and it says. No,
you can access this blob is can only be accessed from a VM in
the virtual network capture so let's see how that's going to
work. So when you go back to this VM. This is a VM. I have in
maybe net so I'll show you the properties so this VM is
actually in the same. Vineet Igniter 2019. We net in a
compute subnet so we had the private and find the endpoint submit. Isn't the computer
subnet OK and then now hear this VM? I also want to show you that
this VM is a back end. VM secure VM so we look at the outbound
rules over here. It says deny Internet so this VM can talk to
the Internet at all period right. But I'm going to show you
that can talk to the storage account so if you go inside here. The VM. So this VM here that were in
doesn't have access to Internet, which proves that the only way
that I'm going to get access to that particular share does from
exactly IP so let's say do opinion on Bing com right. And it can't even be spin.
Doctors note, I'm out. It can't even reach pink com right,
however, if I do an NS. Look up on the storage account that I
created that's the ignite to storage one blob questions are
not even hit that. What do they get back is a
private IP address correct and that's the reason? Why this VM
is going to be able to talk to the storage account gotcha right
if I look that up if you. Look up that Blob account from let's
say from my laptop, which is connected to the private
Internet I get back 52 or 239. So the same it's the same DNS
name right, but look it up from a public Internet straight back
public IP. But you look it up from a VM in the Vineet you get
back a private IP right if I were to try to access using that
public IP. I'm going to get the same error message exactly
exactly from portal. If you try to go through the public IP
access denied. However, the same storage Explorer from here. If I already got this storage
account mapped over here and if you go to the blob. I can see the blob is the block
absolutely conference of the blob so this works here just
because it's private and no one else can access account known as
only that we net can access that account via the private IP
address awesome and like I said, This is a really exciting to be
able to help a lot of our customers who've been hesitating
because they want the power and flexibility of paths, but they
needed to be private because these are back office systems
that they are creating these are these are things that they don't
want to expose the Internet and they don't want to continue to
host it on Prem. After a lion VM S right so when
we're talking off areas like this is going to be awesome.
Because this is a service that a lot of our customers were
asking for all of the customers that we've been working with
all they say is if we love your past services right. We just
can't open up a public Internet access to get to them as
permanent rim. Can we just make your passive is available to us
privately perfect and this is exactly. That's the answer
private link is the answer to that perfectly so we're
learning, all about Azure private link here on Azure
Friday.
