At a Glance
Goals
- You are able to explain access to an Azure PaaS service with a PrivateLink name.
Prerequisites
- Access to a Corp Subscription is available.
PrivateLink
With so-called PrivateLink DNS entries, Azure PaaS services can be used as if they were in their own Virtual Network in Azure.
A Private Endpoint is created in this network, which receives an IP address within the network. Communication with the service within the network is then possible via this endpoint.
Since the endpoint's IP address does not have to be static, communication with the service is established via a DNS name. This is stored in a special DNS zone in Azure.
The following steps are processed sequentially:
- A user creates a private endpoint for a service in Azure.
- A policy detects this and creates the corresponding DNS entries in the central DNS zone.
Private Key Vault
The following guide describes the creation of a private Key Vault within a Virtual Network in Azure.
- Log in to the Portal.
- Enter
Key Vaultsin the global search field and select theKey Vaultsservice. - Click
Create. - Enter the details for the Key Vault.
- Under the
Networkingtab, configure the following settings:- Disable the checkbox
Enable Public Access. - Click
Create a private endpoint. - Select the virtual network in which the private endpoint should be created.
- Disable the box
Integrate with private DNS Zone.
- Disable the checkbox
- Click
Review + createand thenCreate.
Note
After the Key Vault is created, it may take a few minutes for the correct DNS entries to be published.
The Key Vault will have a private IP address in the address range of the virtual network after creation. This can be checked via DNS using the terminal.
Note
For communication with the Key Vault, the public URL should always be used. This has the form https://[Name of the Key Vault].vault.azure.net/.
dig [Name of the Key Vault].vault.azure.net