Design and implement private access to Azure Services Flashcards
What is a virtual network service endpoint?
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services. Service endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address.
What 2 things must you do to implement service endpoints?
- Turn off public access to the service.
- Add the Service Endpoint to a virtual network.
What is a service tag?
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
What is Azure Private Link?
Azure Private Link enables you to access Azure PaaS Services and Azure hosted customer-owned/partner services over a Private Endpoint in your virtual network.
How does private link mitigate the security risk of public endpoints?
Private Link provides secure access to Azure services. Private Link achieves that security by replacing a resource’s public endpoint with a private network interface.
What 3 key points must be considered with Private Link?
- The Azure resource becomes, in a sense, a part of your virtual network.
- The connection to the resource now uses the Microsoft Azure backbone network instead of the public internet.
- You can configure the Azure resource to no longer expose its public IP address, which eliminates that potential security risk.
What is Azure Private Endpoint?
Private Endpoint is the key technology behind Private Link. Private Endpoint is a network interface that enables a private and secure connection between your virtual network and an Azure service. In other words, Private Endpoint is the network interface that replaces the resource’s public endpoint.
How is Azure Private Endpoint different from a service endpoint?
Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
A service endpoint remains a publicly routable IP address. A private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
What are some specific needs that must be addressed before implementing private endpoints?
- A unique name with a resource group.
- A subnet to deploy and allocate private IP addresses from a virtual network.
- The Private Link resource to connect using resource ID or alias, from the list of available types. A unique network identifier is generated for all traffic sent to this resource.
- The subresource to connect. Each Private Link resource type has different options to select based on preference.
- An automatic or manual connection approval method. Based on Azure role-based access control (RBAC) permissions, your Private Endpoint can be approved automatically. For the manual method, the owner of the resource approves the connection.
- Only Private Endpoints in an approved state can be used to send traffic.
What are some other things to consider about private endpoints & private links?
- Clients initiate network connections. Connections can only be established in a single direction.
- Private Endpoint has a read-only network interface for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the Private Link resource.
The value of the private IP address remains unchanged for the entire lifecycle of the Private Endpoint. - The Private Endpoint must be deployed in the same region and subscription as the virtual network.
- The Private Link resource can be deployed in a different region than the virtual network and Private Endpoint.
- Multiple Private Endpoints can be created using the same Private Link resource.
- Multiple Private Endpoints can be created on the same or different subnets within the same virtual network.
Name some of the key benefits the Azure DNS recursive resolver provides.
- Enables the VM Agent to communicate with the Azure platform to signal that it is in a “Ready” state.
- Enables communication with the DNS virtual server to provide filtered name resolution. This filtering ensures customers can resolve only the hostnames of their resources.
- Enables health probes from Azure load balancer to determine the health state of virtual machines.
- Enables virtual machines to obtain a dynamic IP address from the DHCP service in Azure.
- Enables heartbeat messages for the PaaS role.
Explain briefly how on-prem workloads can resolve the FQDN of a private endpoint.
For on-premises workloads to resolve the FQDN of a Private Endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a virtual machine running on the virtual network linked to the Private DNS Zone. The query must be originated from the virtual network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall.
