← Back to Dashboard

Design 21: Private Link (Securing PaaS)

Summary

This design secures PaaS services (SQL, Storage, Key Vault) by giving them a Private IP inside your VNet using Private Link.

Topology: The Private Endpoint is deployed in the Spoke VNet. The Hub VNet provides DNS resolution (Private DNS Zones) so that all spokes can resolve the private IP.

1. Key Design Decisions (ADR)

ADR-01: Access Method

  • Decision: Use Private Endpoint.
  • Rationale: Disables Public Internet access to the SQL Database. Traffic stays on the Microsoft Backbone.

ADR-02: DNS Resolution

  • Decision: Use Central Private DNS Zones in Hub.
  • Rationale: If we create a DNS Zone in every spoke, it's unmanageable. We link one Zone to the Hub, and all Spokes can resolve it via the Hub.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Internet    |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Blocked)   |    X      |      (DNS Resolver)      |           |              |
|              |           |                          |           |              |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       X (Deny)                         | (Peering)                      |
       |                                v                                v
+------+-------+           +------------+-------------+           +------+-------+
|  Azure SQL   |<----------| Private DNS Zone         |<----------|  VM          |
|  (PaaS)      |           | (privatelink.database...)|           |  (10.1.1.4)  |
+------+-------+           +--------------------------+           +------+-------+
       ^                                                                 |
       |                                                                 |
       +--------------------(Private Link 10.1.1.5)----------------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   | (privatelink.database)|                                           |
|   | Record: sql-prod ->   |                                           |
|   |         10.1.1.5      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Virtual Network Link)                                |
+---------------|-------------------------------------------------------+
                | (Peering)
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke (10.1.0.0/16)                                  |
|   +-----------------------+       +-----------------------+           |
|   | Subnet: Workload      |       | Subnet: PrivateLink   |           |
|   | [VM]                  |------>| [Private Endpoint]    |           |
|   |                       |       | (NIC: 10.1.1.5)       |           |
|   +-----------------------+       +-----------|-----------+           |
+-----------------------------------------------|-----------------------+
                                                |
                                                v
                                    +-----------------------+
                                    | Azure SQL Server      |
                                    | (Public Access: OFF)  |
                                    +-----------------------+

                                      |
                                      | (Failover Group)
                                      v

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet                                                         |
|   +-----------------------+                                           |
|   | Private Endpoint (DR) |                                           |
|   | (10.3.1.5)            |                                           |
|   +-----------------------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | SQL Replica           |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Private Endpoint: A Network Interface (NIC) that connects you to a service.
  • Private DNS Zone: Essential. Without it, your app will still try to resolve sql.database.windows.net to the Public IP.

5. Strategy: High Availability (HA)

  • SLA: Private Link carries the SLA of the underlying service (e.g., SQL 99.99%).

6. Strategy: Disaster Recovery (DR)

  • Implementation: Multi-Region Private Endpoints.
  • Process:

* Create a Private Endpoint in the West US Spoke connected to the SQL Server.

* Update DNS in West US to point to the West US Private Endpoint IP.

7. Strategy: Backup

  • N/A: This is a connectivity feature. Backup the SQL DB.

8. Strategy: Security

  • Exfiltration Protection: Private Link prevents data exfiltration because the Endpoint maps to a *specific* SQL instance, not *all* Azure SQL.
  • NSG: You can now apply NSGs to Private Endpoints (Preview feature, now GA) to restrict access further.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: Excellent. Removes public exposure entirely.
  • Cost Optimization: Medium. You pay for Endpoint ($7/mo) + Data Processed ({CONTENT}.01/GB).
  • Operational Excellence: Medium. DNS management is tricky.
  • Performance Efficiency: High. Low latency, high bandwidth backbone.

10. Detailed Traffic Flow

1. App: Connection String = tcp:sql-prod.database.windows.net.

2. DNS: VM asks DNS "Who is sql-prod?".

3. Resolver: Azure DNS sees the Private DNS Zone linked to the VNet.

4. Answer: Returns 10.1.1.5 (Private IP).

5. Traffic: VM sends packet to 10.1.1.5.

6. Link: Packet enters Private Endpoint -> Tunnel to SQL.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Private DNS Zone (in Hub)

1. Search: "Private DNS zones" -> + Create.

2. Resource Group: rg-hub-dns (or rg-hub-prod).

3. Name: privatelink.database.windows.net (Exact name required for SQL).

4. Create.

5. Link to Hub:

* Go to the new Zone -> Virtual network links -> + Add.

* Name: link-to-hub.

* Virtual network: vnet-hub.

* OK.

6. Link to Spoke:

* + Add.

* Name: link-to-spoke.

* Virtual network: vnet-spoke (or vnet-workload).

* OK.

Phase 2: Create SQL Server (PaaS)

1. Search: "SQL servers" -> + Create.

2. Resource Group: Create rg-design21-sql.

3. Server name: sql-corp-prod-[uniqueid].

4. Location: East US.

5. Authentication:

* Use SQL authentication: Select.

* Server admin login: sqladmin.

* Password: SuperSecret123!.

6. Networking:

* Connectivity method: Private endpoint (This disables public access).

* Add private endpoint:

* Name: pe-sql.

* Subscription: Yours.

* Resource group: rg-design21-sql.

* Location: East US.

* Target sub-resource: sqlServer.

* Virtual network: vnet-spoke.

* Subnet: snet-workload (or snet-privatelink).

* Integrate with private DNS zone: Yes.

* Private DNS Zone: privatelink.database.windows.net.

* OK.

7. Create.

Phase 3: Verify DNS Resolution

1. Go to Private DNS zones -> privatelink.database.windows.net.

2. Check for an A record named sql-corp-prod-[uniqueid].

3. It should have a Private IP (e.g., 10.1.1.5).

Phase 4: Verify Access

1. Login to a VM in the Spoke (or Hub).

2. Open Command Prompt.

3. Run: nslookup sql-corp-prod-[uniqueid].database.windows.net.

4. Result: It must resolve to 10.1.1.5.

* *If it resolves to a Public IP (e.g., 104.x.x.x), Private Link is NOT working.*

5. Connect: Use SSMS or sqlcmd to connect using the FQDN. It will route privately.

Phase 2: Verify DNS

1. Go to Private DNS zones.

2. Open privatelink.database.windows.net.

3. Check for an A record named sql-prod-corp. It should have an IP like 10.1.1.5.

Phase 3: Verify Access

1. Login to Spoke VM.

2. Open Command Prompt.

3. nslookup sql-prod-corp.database.windows.net.

4. Result should be 10.1.1.5. (If it is a Public IP, DNS is broken).

5. Connect via SSMS using the FQDN. It will route privately.