Azure Private Link is a private connection to Azure PaaS services. However to really understand private link, you need to understand what is happening under the covers - with DNS.
Before you enable Private Link for a PaaS service e.g. Azure SQL, if you had an Azure PaaS service URL e.g. Sql321.database.windows.net (a global zone), the following would be the DNS resolution that would occur:
This would be great if the SQL database was open to the public internet, but this is not good as far as security goes…..
To fix this, use Private Link.
After you turn on Private Link for the Azure SQL database. Rather than having the initial CNAME redirect to a regional lookup, we insert a a different CNAME redirect which is Sql321.privatelink.database.windows.net – this is for both external DNS resolution and internal Azure DNS resolution. The first two DNS resolution steps are as follows:
From here, the DNS forwarding & resolution this does exactly the same as before. However, the only difference here means that you can make use of split DNS, leverage an Azure internal DNS zone. Rather than Sql321.privatelink.database.windows.net resolving to a public CNAME record, you can have Sql321.privatelink.database.windows.net resolving to a private IP address (Private Link).
This diagram below walks you through the process:
While this exact Private Link DNS redirection is true for most Azure PaaS services, it’s slightly different for Azure Monitor/Log Analytics, due to other underlining URLs in which the MMA (Microsoft Management Agent) uses and the generic nature of the other primary Azure Monitor URLs. Azure Monitor is slightly unique whereas some of the Azure Monitor URLs are global DNS entries the same for all customers and are not customer specific (e.g. monitor.azure.com), hence the reason to use the AMPLS (Azure Monitor Private Link Scope) which then makes it more customer specific. In comparison from above, the URL Sql321.privatelink.database.windows.net is customer specific.
In the Azure Portal, when you setup the Azure Monitor Private Link Scope resource (Microsoft.Insights/PrivateLinkScopes), you then choose the relevant workspace on the one side, then you tell it to setup a Private Endpoint on the other side.
When creating the Private Endpoint, this process also creates the necessary Azure DNS private zones and links the Azure DNS zones to a vNet that you choose.
The AMPLS glues both sides (workspace & private endpoint) together from a backend networking perspective.
Some URLs for Azure Monitor are customer specific, and as you only enter in the workspace ID & key into the MMA, the MMA adds the workspace ID as the prefix to the URL in which it connects to:
The DNS conditional forwarding aspect of AMPLS uses 4 primary URLs, and these should be setup like the following for the DNS private zones which ultimately map to the private endpoint:
As for the other URLs for Azure Monitor (Log Analytics) & Application Insights that the MMA uses, the following discusses their behaviour when AMPLS is setup:
If you're using the Update Management solution for Azure Monitor/Log Analytics, then one component of this is Azure Automation - here's the article for Private Link for Azure Automation.
More details for AMPLS here https://docs.microsoft.com/en-gb/azure/azure-monitor/platform/private-link-security and a diagram below which walks you through it.
A good test, once you turn on Private Link for an Azure PaaS service, from outside using a tool like https://tools.dnsstuff.com/ do a DNS Lookup on the CNAME of the name one of the PaaS service URLs turned on for private link e.g. Sql321.database.windows.net, you'll notice that it will resolve to Sql321.privatelink.database.windows.net. which will then ultimately resolve to a public IP address as there's no association with the Azure DNS private zones.
As for the minimum MMA (Microsoft Management Agent) to use for Private Link, its agent version 10.20.18038.
More information, here's some videos all about Azure Private Link:
And of course, our very own docs site on the topic - https://docs.microsoft.com/en-us/azure/private-link/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.