%3CLINGO-SUB%20id%3D%22lingo-sub-1438920%22%20slang%3D%22en-US%22%3EAzure%20Private%20Link%20DNS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1438920%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EAzure%20Private%20Link%3C%2FSTRONG%3E%20is%20a%20private%20connection%20to%20Azure%20PaaS%20services.%20However%20to%20really%20understand%20private%20link%2C%20you%20need%20to%20understand%20what%20is%20happening%20under%20the%20covers%20-%20with%20DNS.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBefore%20you%20enable%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20a%20PaaS%20service%20e.g.%20Azure%20SQL%2C%20if%20you%20had%20an%20Azure%20PaaS%20service%20URL%20e.g.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(a%20global%20zone).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20had%20a%20virtual%20machine%20that%20made%20a%20request%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EThis%20DNS%20request%20resolved%20to%20a%20DNS%20CNAME%20record%20and%20was%20forwarded%20by%20using%20a%20redirect%20(CNAME)%20to%20another%20regional%20DNS%20zone%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ewesteurope1-a.control.database.windows.net%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%E2%80%93%20as%20this%20database%20was%20deployed%20into%20West%20Europe%3C%2FLI%3E%0A%3CLI%3EAnother%20lookup%20would%20take%20place%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ewesteurope1-a.control.database.windows.net%3C%2FSTRONG%3E%2C%20which%20would%20then%20resolve%20to%20a%20DNS%20A%20record%20comprising%20of%20the%20public%20IP%20address%20of%20the%20SQL%20database%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThis%20would%20be%20great%20if%20the%20SQL%20database%20was%20open%20to%20the%20public%20internet%2C%20but%20this%20is%20not%20good%20as%20far%20as%20security%20goes%E2%80%A6..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20fix%20this%2C%20use%20%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E.%20After%20you%20turn%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20the%20Azure%20SQL%20database.%20Rather%20than%20having%20the%20initial%20CNAME%20redirect%20to%20a%20regional%20lookup%2C%20we%20insert%20a%20a%20different%20CNAME%20redirect%20which%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%E2%80%93%20this%20is%20for%20both%20external%20DNS%20resolution%20and%20internal%20Azure%20DNS%20resolution.%20The%20first%20two%20DNS%20resolution%20steps%20are%20as%20follows%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20had%20a%20virtual%20machine%20that%20made%20a%20request%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EThis%20DNS%20request%20resolved%20to%20a%20DNS%20CNAME%20record%20and%20was%20forwarded%20by%20using%20a%20redirect%20(CNAME)%20to%20another%20regional%20DNS%20zone%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22has-inline-color%20has-black-color%22%3ESql321.%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20class%3D%22has-inline-color%20has-black-color%22%3E.database.windows.net%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EFrom%20here%2C%20the%20DNS%20forwarding%20%26amp%3B%20resolution%20this%20does%20exactly%20the%20same%20as%20before.%20However%2C%20the%20only%20difference%20here%20means%20that%20you%20can%20make%20use%20of%20split%20DNS%2C%20leverage%20an%20Azure%20internal%20DNS%20zone.%20Rather%20than%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresolving%20to%20a%20public%20CNAME%20record%2C%20you%20can%20have%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresolving%20to%20a%20private%20IP%20address%20(%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20diagram%20below%20walks%20you%20through%20the%20process%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22language%3A%20en-AU%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2Fprivate-endpoint-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2Fprivate-endpoint-dns%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20this%20Private%20Link%20DNS%20redirection%20is%20true%20for%20most%20Azure%20PaaS%20services%2C%20it%E2%80%99s%20different%20for%20services%20like%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAzure%20Monitor%3C%2FSTRONG%3E%2F%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%2C%20whereas%20these%20services%20use%20AMPLS%20(Azure%20Monitor%20Private%20Link%20Scope).%20More%20details%20here%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20a%20diagram%20below%20which%20walks%20you%20through%20it.%3C%2FP%3E%0A%3CP%3EThis%20covers%20all%20URLS%20for%20Azure%20Monitor%20(Log%20Analytics)%20%26amp%3B%20Application%20Insights%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E*.ods.opinsights.azure.com%3C%2FLI%3E%0A%3CLI%3E*.oms.opinsights.azure.com%3C%2FLI%3E%0A%3CLI%3Eseauoiomsmds.blob.core.windows.net%3A443%3C%2FLI%3E%0A%3CLI%3Escadvisor.blob.core.windows.net%3A443%3CUL%3E%0A%3CLI%3ETo%20allow%20the%20Log%20Analytics%20Agent%20to%20download%20solution%20packs%2C%20the%20storage%20account%20from%20which%20MPs%20are%20downloaded%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3Escadvisorcontent.blob.core.windows.net%3A443%3CUL%3E%0A%3CLI%3Ecustom%20logs%20%2B%20iis%20log%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Annotation%202020-06-04%20104701.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196360iD758613D96B895D1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-06-04%20104701.png%22%20alt%3D%22Annotation%202020-06-04%20104701.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20style%3D%22background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20information%2C%20here's%20some%20videos%20all%20about%20Azure%20Private%20Link%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DZ0Xuvwi0838%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DZ0Xuvwi0838%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaVFV1_ZwAEY%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaVFV1_ZwAEY%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D--ri7oy0Cgw%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D--ri7oy0Cgw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20of%20course%2C%20our%20very%20own%20docs%20site%20on%20the%20topic%20-%26nbsp%3B-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1438920%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Private%20Link%20is%20a%20private%20connection%20to%20Azure%20PaaS%20services.%20However%20to%20really%20understand%20private%20link%2C%20you%20need%20to%20understand%20what%20is%20happening%20under%20the%20covers%20%E2%80%93%20with%20DNS.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1438920%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Monitor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivate%20Link%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Azure Private Link is a private connection to Azure PaaS services. However to really understand private link, you need to understand what is happening under the covers - with DNS.

 

Before you enable Private Link for a PaaS service e.g. Azure SQL, if you had an Azure PaaS service URL e.g. Sql321.database.windows.net (a global zone), the following would be the DNS resolution that would occur:

 

  1. You had a virtual machine that made a request to Sql321.database.windows.net
  2. This DNS request resolved to a DNS CNAME record and was forwarded by using a redirect (CNAME) to another regional DNS zone of westeurope1-a.control.database.windows.net – as this database was deployed into West Europe
  3. Another lookup would take place of westeurope1-a.control.database.windows.net, which would then resolve to a DNS A record comprising of the public IP address of the SQL database

This would be great if the SQL database was open to the public internet, but this is not good as far as security goes…..

 

To fix this, use Private Link.

 

After you turn on Private Link for the Azure SQL database. Rather than having the initial CNAME redirect to a regional lookup, we insert a a different CNAME redirect which is Sql321.privatelink.database.windows.net – this is for both external DNS resolution and internal Azure DNS resolution. The first two DNS resolution steps are as follows:

 

  1. You had a virtual machine that made a request to Sql321.database.windows.net
  2. This DNS request resolved to a DNS CNAME record and was forwarded by using a redirect (CNAME) to another regional DNS zone of Sql321.privatelink.database.windows.net

From here, the DNS forwarding & resolution this does exactly the same as before. However, the only difference here means that you can make use of split DNS, leverage an Azure internal DNS zone. Rather than Sql321.privatelink.database.windows.net resolving to a public CNAME record, you can have Sql321.privatelink.database.windows.net resolving to a private IP address (Private Link).

 

This diagram below walks you through the process:

 

Annotation 2020-06-04 104613.pnghttps://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns

 

While this exact Private Link DNS redirection is true for most Azure PaaS services, it’s slightly different for Azure Monitor/Log Analytics, due to other underlining URLs in which the MMA (Microsoft Management Agent) uses and the generic nature of the other primary Azure Monitor URLs. Azure Monitor is slightly unique whereas some of the Azure Monitor URLs are global DNS entries the same for all customers and are not customer specific (e.g. monitor.azure.com), hence the reason to use the AMPLS (Azure Monitor Private Link Scope) which then makes it more customer specific. In comparison from above, the URL Sql321.privatelink.database.windows.net is customer specific. 

 

In the Azure Portal, when you setup the Azure Monitor Private Link Scope resource (Microsoft.Insights/PrivateLinkScopes), you then choose the relevant workspace on the one side, then you tell it to setup a Private Endpoint on the other side.

 

Annotation 2020-06-30 080254.png

When creating the Private Endpoint, this process also creates the necessary Azure DNS private zones and links the Azure DNS zones to a vNet that you choose. 

 

Annotation 2020-06-30 080234.png

The AMPLS glues both sides (workspace & private endpoint) together from a backend networking perspective.

 

Some URLs for Azure Monitor are customer specific, and as you only enter in the workspace ID & key into the MMA, the MMA adds the workspace ID as the prefix to the URL in which it connects to:

  • {workspace_ID}.oms.opinsights.azure.com
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.oms.opinsights.azure.com
  • {workspace_ID}.ods.opinsights.azure.com
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.ods.opinsights.azure.com
  • {workspace_ID}.agentsvc.azure-automation.net
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.agentsvc.azure-automation.net

The DNS conditional forwarding aspect of AMPLS uses 4 primary URLs, and these should be setup like the following for the DNS private zones which ultimately map to the private endpoint:

 

  • privatelink.oms.opinsights.azure.com
  • privatelink.ods.opinsights.azure.com
  • privatelink.agentsvc.azure-automation.net
  • privatelink.monitor.azure.com

As for the other URLs for Azure Monitor (Log Analytics) & Application Insights that the MMA uses, the following discusses their behaviour when AMPLS is setup:

  • oioms(mds).blob.core.windows.net
    • Not needed if Azure Monitor is setup for Private Link. Without Private Link, MMAs use this URL to download their configuration, however with Private Link enabled for Azure Monitor (AMPLS) the MMA configuration is sent directly to the MMA bypassing the storage account.
    • Although this URL is only used without Azure Monitor Private Link, this is regional, e.g. 
      seauoiomsmds.blob.core.windows.net for Australia Southeast workspaces or ccanoioms.blob.core.windows.net for Canada Central workspaces
  • scadvisorcontent.blob.core.windows.net
    • This is to allow the MMA to download solution packs, the storage account from which MPs are downloaded
    • At the time of writing, this is a temporary limitation with Private Link and as a result, customers will need to allow this URL outbound to the internet from each MMA as per this link.
  • advisor33083311296362384.blob.core.windows.net (example URL)
    • If Azure Monitor Private Link is not used, we create a storage account on behalf of customers for each workspace. This URL will be different for each customer. 
    • This URL is used if you setup and use custom logs & IIS logs. However with Azure Monitor Private Link, this is not used. 
    • To ingest custom logs on Azure Monitor Private Link, you must use your own storage accounts and associate them with Log Analytics workspace(s) as per this link.

If you're using the Update Management solution for Azure Monitor/Log Analytics, then one component of this is Azure Automation - here's the article for Private Link for Azure Automation

 

More details for AMPLS here https://docs.microsoft.com/en-gb/azure/azure-monitor/platform/private-link-security and a diagram below which walks you through it.

Annotation 2020-06-24 112458.png

 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/private-link-security

 

A good test, once you turn on Private Link for an Azure PaaS service, from outside using a tool like https://tools.dnsstuff.com/ do a DNS Lookup on the CNAME of the name one of the PaaS service URLs turned on for private link e.g. Sql321.database.windows.net, you'll notice that it will resolve to Sql321.privatelink.database.windows.net. which will then ultimately resolve to a public IP address as there's no association with the Azure DNS private zones. 

 

As for the minimum MMA (Microsoft Management Agent) to use for Private Link, its agent version 10.20.18038.

 

More information, here's some videos all about Azure Private Link:

https://www.youtube.com/watch?v=Z0Xuvwi0838

https://www.youtube.com/watch?v=aVFV1_ZwAEY

https://www.youtube.com/watch?v=--ri7oy0Cgw 

 

And of course, our very own docs site on the topic - https://docs.microsoft.com/en-us/azure/private-link/