Microsoft Azure Private Link Deep Dive

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to dive into private link understanding what private link is why i might use it and what are private endpoints what is this private link service and how they relate to each other as always this is useful please like subscribe comment and share and hit that bell icon to get notified of new content i want to focus on why we would use private endpoints and firstly let's think about what we might want to be talking to so if i think about azure i might want to be talking to some kind of paths service now by this i might mean something like a particular storage account it could be sql postgres there's a huge number of services that actually support private link i'm going to talk more about those so it could be some azure provided service or it might be well i have my own service i have multiple instances of my resource that i've put behind load balancer to make it highly available and scalable this could be an internal it could be an external but i have some service behind a load balancer that i want to expose and these are what we're going to focus on for exposing via private link or particularly a private endpoint let's start with the scenario of a path service because it's the simpler one now if i think about a regular pass service it's generally exposed via a public iep so different instances will have different public ips but there is a public ip here now i can do things to lock that down i'm going to talk about that there is for example a firewall configuration on most of these services so there is a firewall configuration fronting these which is really focused on the public-facing ip that i could restrict to certain ip addresses and other things one of the things i can actually do is if i think about well maybe i have a virtual network so i have this virtual network in azure so we kind of draw out this idea and remember a subnet is broken down into multiple subnets so if right now i just think about i have three subnets let's say subnet one two and three and one of the constructs i can use is something called a service endpoint so what a service endpoint lets me do is i can say this particular subnet here i'm going to enable for service endpoint storage i can tell it the types of service i want to enable what that enables me to do is on this firewall now i can not only restrict it to certain public-facing ip addresses i can now also say hey for that particular subnet i'm going to allow that traffic through so this is a configuration at the pad side saying don't allow any traffic through unless it's coming from this subnet now one of the challenges of this approach with the service endpoint it's great for things that live in that subnet but it doesn't apply to things that maybe are connected to it it wouldn't work if i'm in other subnets if i was connected through express route private peering or a site-to-site vpn or a point-to-site i wouldn't be able to use this so it's only for things directly in there and it's really about hey i'm restricting it via this firewall but that public ip address still sits there so maybe i'm not super keen on that i want the idea that actually i want a true private address that represents a specific instance of a service and that's exactly what private endpoints do so a private endpoint is going to create a read only network interface in a subnet i pick it will then get an ip address from that subnet that represents a particular instance of the service so if i take the idea of storage now storage actually has different types of service available to it i can think storage has for example blob it has files it has data lake it has cues tables but we're going to focus on those two so what i can do of a private endpoint is i can actually say okay i'm going to create a private endpoint in subnet 3. so i create this private endpoint i'm right in private endpoint 1 it would be a specific ip address and that points to the blob service of this particular storage account now once i've done that i could restrict now that service to not allow any access to the public ip address i can basically lock that down i could go into the properties of the firewall and say only allow access from these selected networks and not put anything and i'll show that in a second so i can basically lock that down to just that now i can create multiple private endpoints for the same service if i had for example another virtual network let's draw one over here so that's another v-net absolutely exactly the same way i could create a private endpoint over here and it can point to that same instance of the service so i might have some service i want to use some different virtual networks so i can completely do that i can have multiple private endpoints to the same instance of a service so i might have multiple v-nets want to use it that aren't connected this is not some special subnet i'm not having to delegate it to private endpoint or private link service this literally is just a network interface because it's a read-only network interface gets created in the subnet i specify and then it uses up an ip address i can coexist with other workloads i could have regular vms in here or really anything else so let's have a quick look at that and just to kind of stress the point i can have multiple pes in the same subnet for example maybe i also want to use files so i'd have a different pe maybe there's a postgres database would have a pe to that as well so i can break up all of these different things so let's just dive into the very basics about that kind of private endpoint so we jump over to the portal for a second now what i have done on this one is i've actually configured some private endpoints on one of my storage accounts so if i jump over to looking at the storage accounts and we can see i've got this one called private link demo probably guess what i'm doing on this one and from here we can go and look at the networking now i want to pay attention to a couple of different things firstly just on the basic firewalls and virtual network i've selected this option of selected networks only but i have not added anything so this is an optional step you can do once you've started to add private endpoints and what this will allow is only to connect via private endpoints that public ips is now essentially shut off so i've not added any networks or ip addresses to be able to go via that public ip and then what you do is you add private endpoint connections now you notice i actually have three different private endpoints adding a private endpoint is very simple you give it an instance name so this is the name of the private endpoint now this private endpoint i'm going to want to create in the region of where the target virtual network is it doesn't have to be in the same region of where the service is i can cross regions i'm going to talk more about that but the name i could just say private link 10. i don't think a bit better than that but i would select a region of where the virtual network is the private endpoint has to be in the same region as the v-net i'm going to create it in then you're going to actually select well what service do i want to create this private endpoint to because i triggered this from the storage account it's already kind of filled in this particular storage account and here i can say well which service do i want to expose and then i'm going to tell it well which virtual network and it's only going to show me virtual networks in the same region of where i create the private endpoint in my case southcentral so then i could select a particular virtual network and then from there i could pick a subnet i can also optionally integrate with private dns now i'm not going to jump into that right now we're going to cover that later on but that would enable me to actually have the complete name resolution and i would go ahead and complete this creation so all of that would create a private endpoint as we saw i have three of them to various different networks so what does that actually look like on the network so if i jump over and actually look at my basic virtual network that i created two of these in so we jump over to our virtual networks i'll look at my basic infrastructure v-net if i scroll away down the bottom i created them in this infra subnet and look what we see i created two private endpoints one for blob one for files we see two network interfaces again that are read-only and they're being used by the private link service so these are private endpoints that are pointing to in this case a private link service that's being provided by the azure pass i don't see it i don't have to worry about it it's just done for me that means this instance of the service is now represented by these ip addresses so by talking to 10.0.1.13 i can actually go and talk to that service now to prove this is actually working let's go back to that storage account remember i locked down regular public access if i now go to the blob service i can see there's a container if i select it it fails it's failing because i'm not on a virtual network that has access to that private endpoint ip address which means i have no access i cannot get to it if i switch over to a virtual machine now this virtual machine right here is on a virtual network that has access to it if i go and look at the storage account and we'll see exactly the same ones again i'll go and look at the containers again this time i can i'm the same account it's just because now i'm accessing that particular instance of the storage account through a different network path i'm not trying to talk to its public ip which blocks everything i'm now talking to it through that private endpoint ip and that's the key point and it is just an ip address which gives me a lot of flexibility now i mentioned it doesn't have to be in the same region subscription even azure 80 tenant so when i'm creating these private endpoints it can actually be different subscription region even azure ad tenant and there's a whole authorization flow to be able to connect if i don't have the permissions on the service i'm actually trying to connect to this gives me a lot of flexibility that now i can go and use these private endpoints let's just stress the fact that this is for private endpoints i really can't go and create these anywhere i want to be able to use them it gives me a lot of flexibility if i think about using these it's just an ip address that actually gives me a lot of flexibility this pe is an ip address in a certain virtual network but if for example i have maybe an on-premises location if i'm on premises down here and i'm connecting to this virtual network this could be express route private peering or it could be a site-to-site vpn could even be a point-to-site vpn i'm connected to it it doesn't matter i will actually be able to talk to the private endpoints and get access to the services if i was another virtual network say i'm over here and i'm peered well guess what once again it's just an ip address i'm just talking to an ip i'd be able to use it and get to the service so this is really powerful now my pass services i can leverage really through anything i want this gives me very easy access to services over a private connection as long as there's some path to the ip address when i think about the flexibility i showed you creating a private endpoint from the service itself but it's actually a private link center so if i just search for private link here so we have this private link center here i have the private endpoints that are created i can see any private link services i have which we're going to come back to but this is what would give me the ability to say hey i want to go and add a private endpoint now again i'm showing the portal but i could absolutely do this through arm templates and cli all those great things i do exactly the same things again this is how i could easily go and create private endpoints make sure i've got a virtual network somewhere we'll do south central again this is the target resource so notice here the portal lets me browse hey to anything in my azure ad directory i could select different subscriptions different resource types or if maybe it's not in my directory and i can't browse it i can actually select resource id or alias resource id is obviously we have a resource id for every single type of object in azure so i could actually as soon as i know that resource id i could put it in here or there's something called an alias which is really important for private link services which we'll talk about when we deal with private linked services but i can leverage that as well if i went back to my storage accounts we can always see our resource id if i go and look let's try endpoints so there's my resource id so it's that top one right here so if i shared this with someone they would be able to now use that paste that in if they had permissions on this object it would just go and create if not well within that private link center i'd see pending connections and i could go and approve it and then it would complete and actually get created so there's a whole different set of flows that i can leverage when i think about which type of resources support private link it's huge now any service that maybe doesn't directly integrate with a virtual network typically now there is the option to create a private endpoint for so we have things like azure automation cosmos db container registries you name it most of these have private endpoints so i can go and get to that service that's the point of this a private endpoint is getting to the service most of them now have this action this is really becoming the default today but this is changing so i want to kind of stress this point today private endpoints are not impacted by things like network security groups or user defined routes it is in preview right now so right now on the subnet there is a setting private endpoint network policies if i enable it then again in preview then nsg's udrs would impact the private endpoints but ga functionality at this time is they would not take effect but you can go and change that if you want to go inside of the preview and that's going to change in time so great they're just an ip address on my virtual network that represents a particular instance of a service and if i had a second storage account it'd be different private endpoints or postgres or sql or anything else but it allows me to turn off the public ip access it just through a private ip and because it's an ip any connected network can leverage it as well one of the big things that comes up is disaster recovery for these because obviously they exist in a certain virtual network what if there's a region failure now obviously if the service is in the same region as the private endpoint the service is not going to be available either but imagine it's something like a storage account that has grs so it's replicated to another region well what i would do in that point is i would have a private endpoint to the storage account in another virtual network and it's probably a different ip address but what would actually happen is if this storage account failed over to the paired region the private endpoints will automatically update and go and now point to what is now the primary instance of the service that's differently than if i have things like read access if i have read access grs for example on the storage there's a different secondary private endpoint i can create to point to the replica so that's a different option but if i have a service that fails over to another region the private endpoints for example with storage grs would automatically go and re-point to the new primary of that storage account if the service maybe is not in the same region but now i'm thinking about if this fails well again i can have different private endpoints in different virtual networks and then maybe from my on-premises for example well i would just have a different express route circuit for example that goes and connects to that virtual network now there might be some dns switching you're going to do to make that work but there are options for how i think about dealing with failures if it's the region the services in fails or maybe it's the region where i have a private endpoint fails but i can absolutely as we talked about have different private endpoints in different virtual networks across different regions to the same service so there's a lot of balancing i can do with that now i mentioned dns and dns is super important to all of this actually working because most of the time services we connect to is over an encrypted connection when i talk to storage let's say over rest apis it's encrypted there are certificates on this that is validated when i do that encrypted connection if i try to just connect with an ip address the certificate won't match the certificate is for the name of the service if we go and look at the services for a second let's look at my storage account again remember we had those endpoints so if we go back again and look at all of the endpoints we have this name so right here for example for blob is the name of the storage account dot service dot core.windows.net so we look that up and that resolves to the service now by default that's going to resolve to that public name so if we take that as an example so dns is everything so if i jump over and i think about that name again for a second so if i think okay from a dns perspective that s a priv i want to get the name wrong let's say approve link demo s-e-u-s and then remember we had the service name so we had the dot blob dot core dot windows huge name this is why we just use the short part so this big name now today that resolves to the ip address that resolves to that public ip so it's just pointing to that because this is all in a public dns zone then microsoft host when i turn on private link something interesting happens so when i activate private link this well it becomes an alias record this now becomes a c name that now points to exactly the same name so the s a prove etc private link dot blob dot core etc etc so i turn on private endpoint for a service it changes the dns name that used to point to the public ip to now point to this private link child zone now what it does to make sure things still function is in the public dns zone this record well it still points to the public ip so i can still use the service publicly but what i'm actually going to do is privately so if i think about a private zone i want a record that for this name doesn't result in a public ip i want that name to resolve to the private ip that's the key point that's going to make this work so now if i want a network that has this private dns zone resolution when i go and look up essay prooflinkdemo.blog.com it's going to resolve to an alias and then i have a record for that alias that points to the private ip so now the name still works it's the full name but it actually now resolves to that private endpoint ip address so that dns is everything so that makes sense ordinarily the dns record for a service just points to the public ip i wanted to point to the private ip so now we're going to have a private link variant that that public one will point to that i will have pointing to the private ip azure will still add a record on the public dns so this name still works and points to the public ip but i can override it by having a private zone private dns in my virtual network that's now going to point to that private endpoint ip that's the key point that's really going to power this and make this work now we can see this in action so let's go and look at dns for a second so what i'll actually start with is i'm going to look at a regular storage account so if i just take a regular ns lookup and let's go and look at this so this is a regular ns lookup of a storage account and what we can see a regular one basically does is okay i was looking for this name and what it resolves to is the name of the storage cluster which resolves to the public ip address notice there's no hint of a private link or anything else remember i'm on a network that doesn't have any private endpoints or anything special anyway so this is a regular storage account it's what we'd see for anything else now let's go and look at a storage account that i have enabled a private endpoint for i'm going to run exactly the same command but just change the storage account so if we go and look at it now it's a little bit different i'm asking the same question hey tell me who this storage account is but now what it resolves to is look this special private link variant version sa privilink demo scus.privately.blog.cor.windows.net now because i'm out in the public dns it created a private link record for me that still points to that storage cluster that means that if i'm on a network that doesn't have private endpoints hey i can still go and get to the back end service it doesn't break so that's kind of the key point but it's added that private link alias now from the main record what happens if we now look at that on a network that does have the private endpoint so if we jump over to this machine remember this is actually sitting on that virtual network if i do exactly the same lookup it actually looks different now this time i'm asking it the same question okay tell me that public name it resolves once again it's an alias to the private link variant but i actually have a record for the private link name in my dns that points to that private endpoint ip address now when i asked to talk to hey sa approvedlinkdemo.blog.corwindow.net it points to the private link variant and then i have a record for that private link alias so that's why on the networks that works we have that private link variation of the zone to enable hey i can use the regular name still so any encryption or anything else is still going to work just fine but now i'm using that private endpoint ip address as this by magic now there are different options for hosting that record i keep using the term kind of private dns and that by that i mean a zone that is not on the internet it's on some private dns fabric i can absolutely use azure private dns zones and there's an integration for the past services that will actually go and create the record for me if i think about i'll create an azure private dns zone so we'll have azure private dns in this case the zone i want is that private link.blob dot core dot windows dot net that's the zone i need created because in that i'm going to create a record now it's an address record so it's an a record that's going to be the name of the storage account so let's say storage account one and it's going to resolve in my case because this is for blob to that ip p1 so i can use a private dns zone and what i then do is on that virtual network i link the v-net to that zone for resolution purposes there's different ways i can link to private azure dns i have a whole video on azure dns but i want it for resolution purposes remember if i had other v-nets that were appeared they wanted to use the same private endpoints they need that consistent dns resolution as well so what do i do i link them to the same zone so that is also linked for resolution a single private zone i think is a thousand different virtual networks can be connected to it for resolution purposes so i can have loads of different v-nets maybe this is a hub with all the private endpoints lots of spokes using those private endpoints they just need consistent dns resolution for this zone they could all connect to the same one so that's a very very common pattern some companies won't use the private link variant now you might actually say for a second you can step back why do we bother with this private link what's the point if the regular name is something.blob.cor.windows.net why not forget about all this alias stuff to private link seems overly complicated if i have a local dns zone of a name it will always override something on the public dns so why am i bothering with this private link why don't i on my dns just create blob core.windows.net add a record for sa1 pointing to pe one and that would totally work but what happens when i try and now talk to storage account two storage account two is not using private endpoints it's just a regular public i have no entry for storage account 2. but i've created this blob dot cord.windows.net which is now authoritative for the zone so it won't find a match and it will fail to connect so we use the private link variant because now i can be authoritative for that zone the private link which will only get used if private endpoints are enabled but for regular storage accounts that's the blog.windows.net which is still an internet dns zone i'm not overriding in any way so that's why we have that now there are ways to just use blob.cor.windows.net there are some companies that use things like response policy zones which are individual entries so it's a more complicated solution but they do just create sa1.blob.cor.windows.net but because of this rpz the response policy zone if it doesn't find an exact match for the fully qualified domain name then it does go and look at the internet basically saves you a step it removes the lookup to the alias and then the alias to the ip address so it's a slight efficiency thing but for most companies they are not going to do that the documentation will recommend create a private link zone and do the dns that way when i create a private endpoint to a pass service you probably remember in the portal it gave me that option for hey do you want to use azure dns if i jump over and we run for that one more time just you can see that if we go here it doesn't matter actually we go and do the private link version so if i go to my private endpoints and add a private endpoint remember none of this stuff is really that important i just need it in the private endpoint remember has to be the same region as the v net that i'm creating the private endpoint in can be a different region from the resource it's going to point to but if i now see all these different services all of these things support private endpoints but if i do storage account for a second and then i'll pick my one that does the private link again we'll do blob one of the configuration options you have down here at the bottom is this integrate with private dns and what this will do for me is it will create the record automatically and set it to the right ip address that the private endpoint is going to create so notice what it's done here is given me a configuration name and it's saying this is the zone so it's that private link.blog.cor.windows.net so it will go and do the work for me so using the azure private dns is super easy and remember the big point of this is a private link zone is really available anywhere so if i do have other virtual networks that appear to it that want to use the private endpoint i would link them to that same instance of the azure private dns zone so they get consistent name resolution technically you wouldn't have to you could have a different instance of the same name private link.blog.court at windows.net you just then have to add the same records into it so unless there's some real reason against it i probably wouldn't bother doing that you don't have to use azure private dns maybe in my virtual network what i'm actually doing is i'm using my own custom dns maybe i've got active directory running and i've got custom dns configured that points to my domain controllers my own dns well that's not a problem at all in my custom dns i would add the same thing so in my custom dns solution there's really two different options one is hey i create in my dns i create that private link dot blob etc and i add a record an address record for storage account one pointing to that private endpoint ip address 10.0.1.4 whatever that was and that will work they might use the same dns servers it's replicated i just have to have the resolution another option if i don't want to do that and i want to use the azure private dns zone well i can't talk to azure private dns from on-premises it's this special ip address it's 168.63.129.16 that will not work outside of azure what you could set up is a dns forder and i have an azure dns video where i go into all details about this but the other option instead of adding the records is you could say look for privatelink.blob.cod.windows.net i actually want you to forward to my dns folder and because my dns folder lives in a virtual network it can then forward it to 168.63.129.16 which means it now uses the azure private dns so so again i'm getting consistent dns resolution that's the key point of really all of this that's what i'm trying to achieve so that's the importance of dns hopefully that makes sense why we're doing that it gives us that name resolution of the regular name to point to the private endpoint address so if there was any kind of encryption certificates i'm using the regular name so it's still going to pass the check on the certificate but it makes it point to my private endpoint ip address so far we have talked all about built-in azure pass services and using those private endpoints which is a very common scenario but what about if i have my own service what about if we now we have this scenario we have this scenario right here so i have my service right there that lives in its own virtual network so this is v-neck four or something lost track of the names i've done but we have our own service i want to offer this to other virtual networks the typical easy answer to this would be hey this is an internal load balancer peer the network just peer it appear it to all of the networks that want to use it and then they can just use that internal ip address and that's a common answer but maybe i can't maybe i can't hear it maybe the ip address range i'm using here overlaps with the ip address i'm using there if the ip address range is overlap i can't peer them maybe this service is not really part of my company maybe this service is some kind of provider that wants to offer this to many many different customers i don't want to peer networks with someone i don't really know i just want to be able to consume this particular instance of a service so it could be hey i can't hear them because the ip address is overlapped so i need to do network address translation or i don't want to peer them because we don't have that kind of relationship i don't want to directly connect the ip spaces i just want to consume this particular service that's where private link service pls comes in so let's dive into the private link service what color should we use for private link service i don't know we'll use yeah we use the yellowy color this load balancer let's actually stretch a point this is going to be a standard load balancer it cannot be the basic screw it has to be standard a load balancer has multiple front end ip configurations i have lots of them but let's say it's the first front end one configuration now that can be internal or external remember a load balancer is of a certain type all the front ends will be the same it's either an internal or external load balancer but i have this front end configuration we're going to create a private link service so i'm going to go ahead try and draw the icon a little bit kind of a chain i'm creating a pls service that pls service binds to a specific front end configuration on a particular load balancer it's going to provide that network address translation now if you think about network address translation it's hey there's some ip talking to me i'm going to basically convert that to an ip address i manage and that's what the service is actually going to see so i need to use a certain port to map it to what that target real ip address was and the destination i'm talking to so we need some ip addresses for the private link service to perform that net so we're going to give it at least one ip it can use now i can actually have multiple i can have eight maximum the reason we might want multiple ones is simply how many people are going to be talking to this service we support a certain number of connections if we think about the flow well it's basically 64 000 per connection and the connection is defined as the nat ip and the resource on the back end of load balancer ip so it's that resource ip so i can actually scale the private link service in different ways so again this resource actually has hey i've got ip1 i've got ip2 it just has to be a unique flow so if i have one net ip and one back end hey there's sixty four thousand i can support but if i have two back ends suddenly it's sixty four thousand times two if i had two net ip addresses well now it's 64 000 times two times two so you can see it actually scales really really well i can scale private link service by adding that ips up to eight or adding resources behind the load balancer but each connection each unique port coming in is going to consume one out of the 64 000 per now ip and resource ip combinations the private link service has to be in the same region as the virtual network it's being created within there and so we're going to give it when we do this configuration we give the private link service a subnet and it's that subnet that it's going to get these now ips from we can tell it hey we want you to just grab whatever ips available in the subnet or we can do a static configuration use this particular ip that might be useful if the service it's talking to only is going to accept traffic from certain ip addresses because realize what's happening here what's happening here is these are the ips that this service will think the traffic is originating from this is what it's going to see as that incoming so we have those different flow capabilities if i need as the resource to see the true originator there is the option to turn on our tcp proxy v2 header which will encapsulate certain information about the originating connection so then this could go and look at that information and get more information about where the packet actually originated from not just this now ip doesn't work for udp udp there's no way to add in those additional headers and we can see that pls configuration so if i now jump over back to my private link center we can see i have a private link service so i created my private link service i actually have a connection created we'll talk more about it in a second i have my nat configuration so it's bound to a particular subnet which i specified when i created i'm not using that tcp proxy v2 so i'm not encapsulating that and i've added two ip addresses i just did dynamic but notice i could add additional ones and i could say hey is it static or dynamic so i can go ahead and add as many as i want up to eight eight is the maximum i can do if i just created a brand new private link service you can get an idea of what we do on the configuration so once again we just pick something just go to test remember this has to be in the same region as the load balancer so the private link service has to be the same region as the load balancer and the load balancer will be the same region as the virtual network so these are my outbound settings so which load balancer do i want to actually connect to so i could pick which of the front end ips they can only have one pls per front end ip configuration so i've used this one up already because i already have a private link service if i picked a different load balancer then i could see its available front end ip that doesn't currently have a pls and now i can say which subnet do i want to use to get those nat ip addresses from i could turn on the tcp proxy and then i can add multiple net ips again up to eight we then have the idea of access security and this is all about who is allowed to use me so if we go to access security oh i have to pick something i have control so what i can say here is role-based access control only so it's only going to be available to people that have permissions to this private link service or i could say only certain subscriptions and i can add particular subscriptions or i could just say hey look anyone that has the alias of my service and i can even then add subscriptions that would be auto approved normally with pls i always have to manually approve them here i could actually say hey look for these subscriptions just go ahead and automatically approve it if i'm curious about which permissions there's an article that talks about the exact permissions for private link and i'm going to link that in the article below but it goes through each of the individual permissions so if you want to be more granular about what i actually want to give well i can do that through there now you might be curious about what this alias thing is because i talked before let's just close that about the resource id so if i have a private link service like my private link service right here well in its regular properties we have the resource id now if we look at that resource id it has things like my subscription if i'm a provider i probably don't want to share that with all my customers and so notice you also have this other thing you have this alias and it's a big old thing it's the name of the private link service it's a guide the region and then just the standard suffix but we have that available to us so the whole point now is if i am creating this service i want to expose it to lots of different customers i don't want to give them the resource id i'll give them the alias which abstracts away the underlying resource id but it's globally unique so now if i've set those access permissions on the pls anyone with that alias can say go into private link center create a new private endpoint say i have an alias paste in that alias and then it would go through that approval flow unless i added their subscriptions to be auto approved and that's the whole point of this what this ends up doing is i now get another private endpoint so now i get private end point three that points to the private link service and it's natted so a huge part of this is network address translation so these v-nets could be used in the same ip space which is what i've actually set up in my environment i'm using the same ip space and i'm using a different subscription a different azure ad tenant to actually connect these together so if we go and look at my configuration so what i actually did for this private link service is i'm using a load balancer so if i go back to my overview i've got this load balancer over here it's an internal standard load balancer that points to just a couple of web servers and you can see the net ips i'm using this 10.0.1 so i'm using two ips from this vnet infrascus virtual network so if i look at that v-net infrastructure scuzz virtual network i'm using basically 10.0 16. if i then go to a different subscription and i look at its virtual networks i have this v-net infer skulls network as well that is using exactly the same i peed space 10.0 but i want to use that service i want to use that load balancer so what we've done is in this subscription we created a private endpoint to that service so if we look i have a private endpoint going to that particular private link service now what that looks like once again it's just an ip address if i go and look at that virtual network notice what i have i have a network interface for that pe to internal private link service discuss us and it's just an ip address 10.0.0.5 so technically if we actually go to a virtual machine this one right here and let me go to this virtual machine this is the one in the other subscription go to our really advanced browser it works it's going over the private link service to that load balancer but i'm connecting to it just fine even though it's an overlapping ip space it doesn't matter it's natting that traffic over so it's really like a huge powerful feature of what we're getting here now i'm creating i've got some service i have i had a private link service and it's just natting that traffic over now once again i connected to the ip address because this was http 80. it wasn't encrypted so it didn't matter but if this was encrypted once again this service property has a name once again i would need to get that consistent dns resolution i could absolutely create a private azure private dns zone for whatever name i'm using over here and add that i could add it to my custom dns it doesn't matter remember that same name resolution is probably going to apply again i'm always going to have those things there are limits there's obviously we have our standard azure subscription limits page and if we look at the networking limits we can scroll down one interesting thing is if you look at the load balancer load balancer supports 600 front end ip configurations we we do not support 600 private link services to the same load balancer i think again it's eight so it's a much smaller number there and we'll see that actually if we look at the private link let's keep scrolling down there is a private link section there we go privately number of private endpoints for virtual network is a thousand private endpoints prescription 64 000 pls is per subscription 800 number of ip configurations on a private link service so eight so that was the number of net ip addresses number of private endpoints to the same private link service one thousand and you see some other kind of numbers there dns zones etc but they're high numbers once again a typical pattern would be absolutely yes i could create pes to every single like spoke v-net or i can create the ps to maybe a hub and just leverage that through peering and there were there were pros and cons but i pay for peering traffic i pay for traffic going over a private endpoint so i think that that's actually a wash but check go use a calculator you can check the exact numbers of that but that is private link i hope that was kind of useful the whole point of this is for pass services i don't have to use the public ip i can completely shut it off and now i just get an ip address within my virtual network that can be used by the virtual network any peered virtual network or connected networks sites like vpn express route private peering i need to have consistent dns so i can have things like the azure private dns and link them for resolution to multiple vnets for on-premises either i create the private link variant zone and add the records or i can configure that to forward to a dns folder in the virtual network that then uses the 16863 blah blah to use azure private dns for my own services or maybe some other company wants to offer i can attach a private link service to a standard load balancer which will nap the traffic and then add private endpoints once again though if it's encrypted the name resolution will matter so once again i'm going to have whatever this name is i'll need to add records the key point is private endpoints to pls it's not going to do an automatic name configuration for you you're going to have to go and create those records that's really it so i hope that cleared up some things private endpoint is the read only nick that gets created an ip address in your network that points to a pass service or a private link service for a custom resource private link service is the ability to offer my service behind a standard load balancer to other virtual networks via a private endpoint that's it as always a lot of work goes into this so please do like and subscribe but until next time take care you

Info

Channel: John Savill's Technical Training

Views: 9,504

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, private link, networking

Id: 57ZwdztCx2w

Channel Id: undefined

Length: 57min 2sec (3422 seconds)

Published: Tue Nov 23 2021