Azure Networking: Private Link, Service Endpoints, and Bastion
Key Takeaways
- Azure Private Link enables you to access Azure PaaS services over a private endpoint within your VNet, eliminating exposure to the public internet.
- Service Endpoints extend VNet identity to Azure services, restricting access to your VNet without a private IP.
- Azure Bastion provides secure RDP and SSH connectivity to VMs directly through the Azure portal without exposing public IPs.
- Azure Firewall Manager provides centralized security policy and route management for cloud-based security perimeters.
- Private Link provides a private IP address for the service; Service Endpoints just restrict access at the network level.
Azure Networking: Private Link, Service Endpoints, and Bastion
Quick Answer: Private Link = access PaaS services via private IP in your VNet. Service Endpoints = restrict PaaS access to your VNet only. Azure Bastion = secure RDP/SSH to VMs via browser without public IPs.
Azure Private Link and Private Endpoints
Azure Private Link enables you to access Azure PaaS services (Storage, SQL Database, Cosmos DB, etc.) over a private endpoint in your Virtual Network.
How It Works
- A Private Endpoint is a network interface with a private IP address from your VNet
- Traffic between your VNet and the Azure service travels over the Microsoft backbone network
- The Azure service is NOT exposed to the public internet — only accessible through the private endpoint
- DNS resolution maps the service's FQDN to the private IP address
Benefits
| Benefit | Description |
|---|---|
| No public IP exposure | Azure services are accessed via private IP only |
| No data exfiltration | Private Link limits access to specific Azure resources |
| Global connectivity | Connect from on-premises via VPN/ExpressRoute through the private endpoint |
| Cross-region | Private Endpoints work across Azure regions |
Service Endpoints
VNet Service Endpoints extend your VNet's identity to Azure services, allowing you to restrict access to Azure PaaS services to only your VNet.
Private Link vs. Service Endpoints
| Feature | Private Link (Private Endpoint) | Service Endpoint |
|---|---|---|
| IP type | Private IP from your VNet | Service still uses public IP |
| Accessibility | Only via private IP | Via VNet only (firewall rule) |
| On-premises access | Yes (via VPN/ExpressRoute) | Requires additional config |
| Data exfiltration protection | Yes (restricted to specific resource) | Limited |
| Cost | Per-hour + per-GB | Free |
| Recommended for | Most scenarios, especially production | Dev/test or cost-sensitive |
On the Exam: Private Link provides a private IP address for the PaaS service within your VNet (strongest network isolation). Service Endpoints restrict access to your VNet but the service still uses its public IP. Private Link is the recommended approach for production.
Azure Bastion
Azure Bastion provides secure and seamless RDP/SSH connectivity to your VMs directly from the Azure portal over TLS, without needing public IP addresses on VMs.
How Azure Bastion Works
- Deploy Azure Bastion to a dedicated subnet (AzureBastionSubnet) in your VNet
- Connect to any VM in the VNet or peered VNets directly from the Azure portal
- RDP/SSH traffic flows over TLS from your browser to the VM through Bastion
- No public IP needed on the VM — no exposure to the internet
Benefits
| Benefit | Description |
|---|---|
| No public IPs on VMs | VMs are not exposed to the internet for RDP/SSH |
| Browser-based | Connect via the Azure portal — no RDP/SSH client needed |
| TLS encryption | Traffic is encrypted end-to-end |
| Hardened | Bastion is hardened against zero-day exploits (Microsoft-managed) |
| No NSG rules needed | Bastion handles secure connectivity without opening RDP/SSH ports to the internet |
On the Exam: Azure Bastion is the answer when a question asks about securely connecting to VMs without exposing RDP/SSH ports to the internet or without using public IP addresses.
What does Azure Private Link provide?
Which service provides secure RDP/SSH access to VMs without requiring public IP addresses?
What is the key difference between Private Link and Service Endpoints?