Microsoft to improve Azure networking with private links to multi-tenant services
Preview of private endpoints accessible both in the cloud and on premises
Microsoft has pulled the sheets off Azure Private Link as a way to create a private endpoint for a shared service.
This means the service can be accessed via a local IP address both on Azure and from on-premises networks linked via a VPN or Azure ExpressRoute, a dedicated connection to the Azure network).
Azure Private Link works on the assumption that you have configured an Azure Virtual Network (VNet), which has a private IP address space such as 10.1.0.0/24. Now you can configure a private endpoint to a service such as Azure Storage or Azure SQL Database, which will be assigned an IP address – for example, 10.1.0.5.
This IP address will be accessible both within the Azure VNet and on-premises, if you have configured private or VPN connectivity to the Azure network.
Third-party service providers can also publish services via Azure Private Link by enabling the feature on an Azure Standard load balancer in front of whatever service is being provided. This then enables users to assign a private endpoint for that service.
The benefit of Private Link is that data stays within Microsoft's network and your private network.
Azure already has a feature called VNet service endpoints. This enables you to secure Azure service resources so that they are only accessible from your VNet, and has the same benefit as Private Link in terms of protecting data within the VNet. A VNet service endpoint, however, is still a public IP. This also means that a service locked down with a VNet service endpoint is not reachable from on-premises networks, unless you also allow access via public IP addresses. It is more complex to set up and potentially less secure.
The Private Link service is currently in preview and only works with five US Azure regions. Storage and SQL databases seem to the only supported services at the moment, though additional services promised include Cosmos DB, MySQL, PostgreSQL, MariaDB, Azure Application Service, Key Vault, Snowflake data warehousing, and partner services. There are no immediate plans to support Office 365 services.
The price of a Private Endpoint is $0.005 per hour, with a further $0.005 per GB data transferred inbound or outbound.
Microsoft states that "the public preview is provided without a service level agreement and should not be used for production workloads" – though The Reg could see the feature in our test Azure setup and it appeared to be offered without any warning messages. ®