Last updated: May 2026

Azure Networking Intermediate AZ-104 ⏱ 11 min read

Azure Private Endpoints

By default, Azure PaaS services (Storage, SQL, Key Vault, etc.) have public endpoints — accessible from anywhere on the internet. Private Endpoints give these services a private IP address within your VNet, so all traffic between your VNet and the service travels over Microsoft's private backbone — never the public internet. It's the most secure way to access Azure PaaS services.

What you'll learn What Private Endpoints are and how they work · Azure Private Link · DNS configuration for private endpoints · Which services support Private Endpoints · Private Endpoints vs Service Endpoints · Creating Private Endpoints · Disabling public access after creating private endpoints

Table of Contents

What are Private Endpoints?
Azure Private Link
DNS Integration
Supported Services
Private Endpoints vs Service Endpoints
Creating a Private Endpoint
Disabling Public Access
Practice Questions

What are Private Endpoints?

A Private Endpoint is a network interface with a private IP address from your VNet subnet. It connects your VNet to an Azure PaaS service using Azure Private Link. Once created:

The PaaS service gets a private IP in your VNet (e.g., 10.0.1.5)
Traffic from your VMs to the service uses this private IP
Traffic never leaves the Microsoft network — no public internet
You can disable the public endpoint entirely for maximum security

ℹ️

Without Private Endpoint Your VM's traffic to Azure Storage goes: VM → VNet → Internet → Azure Storage public endpoint. With Private Endpoint: VM → VNet → Private IP → Azure Storage (entirely on Microsoft's network).

Azure Private Link

Azure Private Link is the underlying technology that powers Private Endpoints. It also allows you to expose your own services privately — if you have a service in your VNet, you can publish it via Private Link so other VNets or subscriptions can access it via their own Private Endpoints (without VNet peering).

DNS Integration

DNS configuration is the most complex part of Private Endpoints. When you create a Private Endpoint for a storage account:

The storage account still has a public DNS name: mystorageaccount.blob.core.windows.net
Without DNS config, this resolves to the public IP — traffic goes over the internet
You need a Private DNS Zone: privatelink.blob.core.windows.net
Add an A record in this zone: mystorageaccount → 10.0.1.5 (private IP)
Link the Private DNS Zone to your VNet
Now VMs in the VNet resolve mystorageaccount.blob.core.windows.net to the private IP

⚠️

DNS Must Be Configured Correctly A common mistake is creating the Private Endpoint but forgetting to configure DNS. Without proper DNS, your VMs still resolve the service to its public IP and traffic goes over the internet — defeating the purpose.

Private DNS Zone Names

Service	Private DNS Zone Name
Azure Storage (Blob)	privatelink.blob.core.windows.net
Azure Storage (File)	privatelink.file.core.windows.net
Azure SQL Database	privatelink.database.windows.net
Azure Key Vault	privatelink.vaultcore.azure.net
Azure Cosmos DB	privatelink.documents.azure.com

Supported Services

Private Endpoints are supported by a wide range of Azure services including:

Azure Storage (Blob, File, Queue, Table, Data Lake)
Azure SQL Database and SQL Managed Instance
Azure Key Vault
Azure Cosmos DB
Azure App Service and Functions
Azure Kubernetes Service (AKS API server)
Azure Monitor (Log Analytics)
Azure Event Hubs and Service Bus

Private Endpoints vs Service Endpoints

Feature	Service Endpoints	Private Endpoints
Traffic path	Stays on Azure backbone but from public IP	Fully private — uses private IP
Service gets private IP?	No — service still has public IP only	Yes — private IP in your subnet
Accessible from on-premises?	No (via VNet only)	Yes (via VPN/ExpressRoute)
DNS changes required?	No	Yes
Public access can be disabled?	Via firewall rules	Yes — fully
Cost	Free	Per-endpoint charge (~₹500–800/month)
Security level	Good	Highest

💡

Which to Choose? Service Endpoints are free and simpler — good for basic VNet-level access restriction. Private Endpoints provide true private connectivity accessible from on-premises (via VPN/ER), no public IP on the service, and the highest security. For compliance-sensitive workloads, always use Private Endpoints.

Creating a Private Endpoint

Azure CLICreate private endpoint for Azure Storage

# Get storage account resource ID
STORAGE_ID=$(az storage account show \
  --name mystorageaccount2026 \
  --resource-group myRG \
  --query id --output tsv)

# Create the private endpoint
az network private-endpoint create \
  --name myStoragePrivateEndpoint \
  --resource-group myRG \
  --vnet-name myVNet \
  --subnet app-subnet \
  --private-connection-resource-id $STORAGE_ID \
  --group-id blob \
  --connection-name myStorageConnection

# Create Private DNS Zone
az network private-dns zone create \
  --resource-group myRG \
  --name privatelink.blob.core.windows.net

# Link DNS Zone to VNet
az network private-dns link vnet create \
  --resource-group myRG \
  --zone-name privatelink.blob.core.windows.net \
  --name myDnsLink \
  --virtual-network myVNet \
  --registration-enabled false

Disabling Public Access

After creating a Private Endpoint, disable the public endpoint to ensure all traffic goes through the private route:

Azure CLIDisable public access on storage account

az storage account update \
  --name mystorageaccount2026 \
  --resource-group myRG \
  --default-action Deny \
  --bypass None

💡

AZ-104 Exam Tip Know that Private Endpoints give PaaS services a private IP in your VNet. Know that DNS must be configured (Private DNS Zone) for clients to resolve the service to its private IP. Know the difference from Service Endpoints — Private Endpoints are accessible from on-premises via VPN/ExpressRoute; Service Endpoints are not. Know that Private Endpoints are the more secure option.

📝 Practice Questions

Click an option to check your answer.

Q1. What does a Private Endpoint give an Azure PaaS service?

A — A static public IP address

B — A private IP address from your VNet subnet

C — A VNet Peering connection to the service\'s VNet

D — A custom DNS name within your VNet

Q2. You create a Private Endpoint for Azure Storage but VMs still connect to the public endpoint. What is the most likely cause?

A — NSG rules are blocking the private endpoint connection

B — DNS is not configured — VMs resolve the storage name to the public IP without a Private DNS Zone

C — VNet Peering is missing between the VNet and the storage VNet

D — The storage account SKU doesn\'t support Private Endpoints

Q3. Can Private Endpoints be accessed from on-premises networks connected via VPN Gateway?

A — Yes — on-premises can reach the private IP via VPN Gateway or ExpressRoute

B — No — Private Endpoints only work within the VNet itself

C — Only via ExpressRoute, not VPN Gateway

D — Only with special on-premises configuration

Q4. What is the key difference between Service Endpoints and Private Endpoints?

A — Service Endpoints cost more than Private Endpoints

B — Private Endpoints give the service a private IP in your VNet and are accessible from on-premises; Service Endpoints do not

C — Service Endpoints support more Azure services than Private Endpoints

D — Service Endpoints route traffic over the public internet; Private Endpoints don\'t

Q5. What Private DNS Zone name is required for Private Endpoints connecting to Azure SQL Database?

A — privatelink.blob.core.windows.net

B — privatelink.database.windows.net

C — privatelink.vaultcore.azure.net

D — privatelink.sql.azure.com

← PreviousAzure DDoS Protection Next →Azure Network Watcher

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.