Hello folks,
Lately, I had to replace my home network’s edge device\firewall with one that would allow me to connect to my Azure cloud environment using a site-to-site VPN. I set up an Azure Bastion host to enable remote access to all my servers (Azure Virtual machines and on-prem servers). And set up an end-to-end name resolution structure for on-prem and in-cloud resources.
Now I want to configure the underlying service that will allow me to securely manage all my servers using some cloud services. Namely Azure Arc. I’ve said before that Azure Arc is a wonderful way of enabling a multitude of cloud services. And since I already have the site-to-site VPN up and running, I want to ensure that all traffic from my on-prem server ONLY connects to my azure services using that secured connection.
I decided to leverage Azure Private links, It’s a service that enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted services over a private endpoint in your own virtual network. And eliminating the need to route traffic over the internet.
Some of the advantages of using that solution are:
The way this works is Azure Arc Private Link Scope connects private endpoints (and the virtual networks they're contained in) to an Azure resource, in this case, Azure Arc-enabled servers. Therefore any one of the Azure Arc-enabled servers supported VM extensions (Windows extensions, Linux Extensions) will use the VPN\ExpressRoute to connect to the service without going through the internet.
There are a few things I need to ensure before I get started.
Now that the pre-requisites are taken care of, I can proceed with creating the Private Link Scope.
Azure Arc resources can only connect to private link scopes in the same region. If you have Azure Arc resources in multiple regions, you will need to create an Azure Arc Private link scope for each region. In my case, I am only in East US but that may change...
During the deployment of the Azure Arc Private Link Scope, I ensure to leave the “Allow public network access” UNCHECKED to force my resources associated with this private link scope to connect to the service using the private endpoint, NOT the public endpoint.
Also, when creating the private endpoint for this scope, I ensured to create private DNS zones for the endpoint. I created them in my hub network as part of my hub & spoke design.
Once this was created, I added the private DNS Zones to my private DNS resolver ruleset so that the name resolution would follow the same rules as in my last post. Therefore when looking for any of the URLs that the Arc Agent will be trying to connect to, it will resolve as internal.
As opposed to the public endpoints that it would normally try to connect to.
If you do not have a hybrid name resolution setup you may have to manually configure your DNS server.
Once the private scope, and private endpoint are created, and your DNS has been configured you can now Arc enable your local servers pretty much in the same way you normally do, except that in the portal form, you will need to select “Private endpoint” in the “Connectivity method” section.
That’s it! I can now Arc enable my servers on-prem securely by leveraging my VPN or ExpressRoute link
If you have a hybrid environment…. Check out the links in this article. And please leave feedback in the comments below.
Let me know if there are scenarios for hybrid management that you have questions about. It really helps make the blog better and more relevant to you.
And, really… that’s why we do it.
Cheers!
Pierre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.