Designing secure access to Azure Services

In an enterprise when you want to connect to services hosted on Azure Platform you need to make sure that your data (hosted in Azure) is not exposed to the public internet. By default access to the services hosted in Azure is via the public internet. It is not secure to access sensitive data via the public internet. To solve this issue Azure brings two technologies Azure Private Endpoint and Azure Private Link:

What is Azure Private Endpoint?

Private Endpoint is a network interface created with VNet to enable private access to the resources. Private Endpoint uses a private IP address from the VNet to bring the service into VNet.This way Azure resource becomes part of your VNet.This means that:

1. The connection to the Azure resource uses Azure Backbone instead of using the public internet.

2. Azure resource does not expose the public IP address instead it used a private IP address from the VNet.This eliminates the security risk.

Azure Private link enables access to Azure PaaS services (i.e. Azure SQL Database, Azure Synapse, Azure Blob Storage, etc.) by replacing public endpoint with a private network connection. Once you have the private network connection to Azure services you can link this connection to the Private endpoint at the consumer network. This means we are connecting it to the private IP address within VNet where your consumer resources are placed.

For the sake of simplicity this is a three-step process:

  1. Create Private Endpoint for consumer so consumer can access the resources privately.
  2. Create Private link so we can replace Azure service’s public endpoint with private network connection.
  3. Link the private link with the private Endpoint.

Here is the demo video on how we can implement this scenario.

Here is the PowerShell code used in the demo:

#First create a resource group
Connect-AzAccount 

##Set Variables##

$rg='PrivateEndpointDemo-rg'

$loc='eastus'

$vnet='DemoVNet'

$webAppRG= 'webapp-rg'

$WebAppName= 'pedemowebapp'

New-AzResourceGroup -Name $rg -Location $loc


## Create backend subnet config. ##

$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name BackendSubnet -AddressPrefix 10.0.0.0/24

## Create Azure Bastion subnet. ##

$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24

## Create the virtual network. ##

$vnetParameters = @{

Name = $vnet

ResourceGroupName =$rg

Location = $loc

AddressPrefix = '10.0.0.0/16'

Subnet = $subnetConfig, $bastsubnetConfig

}

$vnetInfo = New-AzVirtualNetwork @vnetParameters

## Create public IP address for bastion host. ##

$publicIPParameters = @{

Name = 'BastionIP'

ResourceGroupName =$rg

Location = $loc

Sku = 'Standard'

AllocationMethod = 'Static'

}

$publicip = New-AzPublicIpAddress @publicIPParameters

## Create bastion host ##

$bastationParameters = @{

ResourceGroupName = 'PrivateEndpointDemo-rg'

Name = 'DemoBastion'

PublicIpAddress = $publicip

VirtualNetwork = $vnetInfo

}

New-AzBastion @bastationParameters

# Create a Test VM 

## Set credentials for server admin and password. ##

$cred = Get-Credential


##creating network interface for VM ##

$vmNICparameters = @{

Name = 'VMNic'

ResourceGroupName = $rg

Location = $loc

Subnet = $vnetInfo.Subnets[0]

}

$nicVM = New-AzNetworkInterface @vmNICparameters

## Create a virtual machine configuration.##

$NameAndSizeParameters = @{

VMName = 'DemoVM'

VMSize = 'Standard_DS1_v2'

}

$credentialParameters = @{

ComputerName = 'DemoVM'

Credential = $cred

}

$skuParameters = @{

PublisherName = 'MicrosoftWindowsServer'

Offer = 'WindowsServer'

Skus = '2019-Datacenter'

Version = 'latest'

}

$vmConfig = New-AzVMConfig @NameAndSizeParameters | Set-AzVMOperatingSystem -Windows @credentialParameters | Set-AzVMSourceImage @skuParameters | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine ##

New-AzVM -ResourceGroupName $rg -Location $loc -VM $vmConfig 


## Get reference of the WebApp##

$webapp = Get-AzWebApp -ResourceGroupName $webAppRG -Name $WebAppName

## Create Private Endpoint connection. ##

$PrivateLinkParameters = @{

Name = 'myConnection'

PrivateLinkServiceId = $webapp.ID

GroupID = 'sites'

}

$privateLinkConnection = New-AzPrivateLinkServiceConnection @PrivateLinkParameters

## Place virtual network into variable. ##

## Disable private endpoint network policy ##

$vnetInfo.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"

$vnetInfo | Set-AzVirtualNetwork

## Create private endpoint

$PrivateEndPointparameters = @{

ResourceGroupName = $rg

Name = 'myPrivateEndpoint'

Location = $loc

Subnet = $vnetInfo.Subnets[0]

PrivateLinkServiceConnection = $privateLinkConnection

}

New-AzPrivateEndpoint @PrivateEndPointparameters


## Place virtual network into variable. ##

## Create private dns zone. ##

$PrivateDNSZoneParameters = @{

ResourceGroupName = $rg

Name = 'privatelink.Azurewebsites.net'

}

$zone = New-AzPrivateDnsZone @PrivateDNSZoneParameters

## Create dns network link. ##

$PrivateDNSVNetLinkParameters = @{

ResourceGroupName = $rg

ZoneName = 'privatelink.Azurewebsites.net'

Name = 'myLink'

VirtualNetworkId = $vnetinfo.Id

}

$link = New-AzPrivateDnsVirtualNetworkLink @PrivateDNSVNetLinkParameters

## Create DNS configuration ##

$DnsConfigParameters = @{

Name = 'privatelink.Azurewebsites.net'

PrivateDnsZoneId = $zone.ResourceId

}

$config = New-AzPrivateDnsZoneConfig @DnsConfigParameters

## Create DNS zone group. ##

$PrivateDNSZoneParameters = @{

ResourceGroupName = $rg

PrivateEndpointName = 'myPrivateEndpoint'

Name = 'myZoneGroup'

PrivateDnsZoneConfig = $config

}

New-AzPrivateDnsZoneGroup @PrivateDNSZoneParameters 

Hope this helps!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.