Quickstart: Create a Private Link service using Azure PowerShell

Get started creating a Private Link service that refers to your service. Give Private Link access to your service or resource deployed behind an Azure Standard Load Balancer. Users of your service have private access from their virtual network.

Diagram of resources created in private endpoint quickstart.

Prerequisites

  • An Azure account with an active subscription. Create a trial subscription.

  • Azure PowerShell.

    You can install Azure PowerShell locally to run the cmdlets. The steps in this article require Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find your installed version. If you need to upgrade, see Update the Azure PowerShell module.

    If you run PowerShell locally, run Connect-AzAccount -Environment AzureChinaCloud to connect to Azure.

Create a resource group

An Azure resource group is a logical container into which Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

New-AzResourceGroup -Name 'test-rg' -Location 'chinaeast2'

Create an internal load balancer

In this section, you create a virtual network and an internal Azure Load Balancer.

Virtual network

In this section, you create a virtual network and subnet to host the load balancer that accesses your Private Link service.

## Create backend subnet config ##
$subnet = @{
    Name = 'subnet-1'
    AddressPrefix = '10.0.0.0/24'
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create the virtual network ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
    Location = 'chinaeast2'
    AddressPrefix = '10.0.0.0/16'
    Subnet = $subnetConfig
}
$vnet = New-AzVirtualNetwork @net

Create standard load balancer

This section details how you can create and configure the following components of the load balancer:

## Place virtual network created in previous step into a variable. ##
$vnet = Get-AzVirtualNetwork -Name 'vnet-1' -ResourceGroupName 'test-rg'

## Create load balancer frontend configuration and place in variable. ##
$lbip = @{
    Name = 'frontend'
    PrivateIpAddress = '10.0.0.4'
    SubnetId = $vnet.subnets[0].Id
}
$feip = New-AzLoadBalancerFrontendIpConfig @lbip

## Create backend address pool configuration and place in variable. ##
$bepool = New-AzLoadBalancerBackendAddressPoolConfig -Name 'backend-pool'

## Create the health probe and place in variable. ##
$probe = @{
    Name = 'health-probe'
    Protocol = 'http'
    Port = '80'
    IntervalInSeconds = '360'
    ProbeCount = '5'
    RequestPath = '/'
}
$healthprobe = New-AzLoadBalancerProbeConfig @probe

## Create the load balancer rule and place in variable. ##
$lbrule = @{
    Name = 'http-rule'
    Protocol = 'tcp'
    FrontendPort = '80'
    BackendPort = '80'
    IdleTimeoutInMinutes = '15'
    FrontendIpConfiguration = $feip
    BackendAddressPool = $bePool
}
$rule = New-AzLoadBalancerRuleConfig @lbrule -EnableTcpReset

## Create the load balancer resource. ##
$loadbalancer = @{
    ResourceGroupName = 'test-rg'
    Name = 'load-balancer'
    Location = 'chinaeast2'
    Sku = 'Standard'
    FrontendIpConfiguration = $feip
    BackendAddressPool = $bePool
    LoadBalancingRule = $rule
    Probe = $healthprobe
}
New-AzLoadBalancer @loadbalancer

Disable network policy

Before a private link service can be created in the virtual network, the setting privateLinkServiceNetworkPolicies must be disabled.

## Place the subnet name into a variable. ##
$subnet = 'subnet-1'

## Place the virtual network configuration into a variable. ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
}
$vnet = Get-AzVirtualNetwork @net

## Set the policy as disabled on the virtual network. ##
($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq $subnet}).privateLinkServiceNetworkPolicies = "Disabled"

## Save the configuration changes to the virtual network. ##
$vnet | Set-AzVirtualNetwork

In this section, create a private link service that uses the Standard Azure Load Balancer created in the previous step.

## Place the virtual network into a variable. ##
$vnet = Get-AzVirtualNetwork -Name 'vnet-1' -ResourceGroupName 'test-rg'

## Create the IP configuration for the private link service. ##
$ipsettings = @{
    Name = 'ipconfig-1'
    PrivateIpAddress = '10.0.0.5'
    Subnet = $vnet.subnets[0]
}
$ipconfig = New-AzPrivateLinkServiceIpConfig @ipsettings

## Place the load balancer frontend configuration into a variable. ##
$par = @{
    Name = 'load-balancer'
    ResourceGroupName = 'test-rg'
}
$fe = Get-AzLoadBalancer @par | Get-AzLoadBalancerFrontendIpConfig

## Create the private link service for the load balancer. ##
$privlinksettings = @{
    Name = 'private-link-service'
    ResourceGroupName = 'test-rg'
    Location = 'chinaeast2'
    LoadBalancerFrontendIpConfiguration = $fe
    IpConfiguration = $ipconfig
}
New-AzPrivateLinkService @privlinksettings

Your private link service is created and can receive traffic. If you want to see traffic flows, configure your application behind your standard load balancer.

Create private endpoint

In this section, you map the private link service to a private endpoint. A virtual network contains the private endpoint for the private link service. This virtual network contains the resources that access your private link service.

Create private endpoint virtual network

## Create backend subnet config ##
$subnet = @{
    Name = 'subnet-pe'
    AddressPrefix = '10.1.0.0/24'
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create the virtual network ##
$net = @{
    Name = 'vnet-pe'
    ResourceGroupName = 'test-rg'
    Location = 'chinaeast2'
    AddressPrefix = '10.1.0.0/16'
    Subnet = $subnetConfig
}
$vnetpe = New-AzVirtualNetwork @net

Create endpoint and connection

## Place the private link service configuration into variable. ##
$par1 = @{
    Name = 'private-link-service'
    ResourceGroupName = 'test-rg'
}
$pls = Get-AzPrivateLinkService @par1

## Create the private link configuration and place in variable. ##
$par2 = @{
    Name = 'connection-1'
    PrivateLinkServiceId = $pls.Id
}
$plsConnection = New-AzPrivateLinkServiceConnection @par2

## Place the virtual network into a variable. ##
$par3 = @{
    Name = 'vnet-pe'
    ResourceGroupName = 'test-rg'
}
$vnetpe = Get-AzVirtualNetwork @par3

## Create private endpoint ##
$par4 = @{
    Name = 'private-endpoint'
    ResourceGroupName = 'test-rg'
    Location = 'chinaeast2'
    Subnet = $vnetpe.subnets[0]
    PrivateLinkServiceConnection = $plsConnection
}
New-AzPrivateEndpoint @par4 -ByManualRequest

Approve the private endpoint connection

In this section, you approve the connection you created in the previous steps.

## Place the private link service configuration into variable. ##
$par1 = @{
    Name = 'private-link-service'
    ResourceGroupName = 'test-rg'
}
$pls = Get-AzPrivateLinkService @par1

$par2 = @{
    Name = $pls.PrivateEndpointConnections[0].Name
    ServiceName = 'private-link-service'
    ResourceGroupName = 'test-rg'
    Description = 'Approved'
    PrivateLinkResourceType = 'Microsoft.Network/privateLinkServices'
}
Approve-AzPrivateEndpointConnection @par2

IP address of private endpoint

In this section, you find the IP address of the private endpoint that corresponds with the load balancer and private link service.

## Get private endpoint and the IP address and place in a variable for display. ##
$par1 = @{
    Name = 'private-endpoint'
    ResourceGroupName = 'test-rg'
    ExpandResource = 'networkinterfaces'
}
$pe = Get-AzPrivateEndpoint @par1

## Display the IP address by expanding the variable. ##
$pe.NetworkInterfaces[0].IpConfigurations[0].PrivateIpAddress
❯ $pe.NetworkInterfaces[0].IpConfigurations[0].PrivateIpAddress
10.1.0.4

Clean up resources

When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, load balancer, and the remaining resources.

Remove-AzResourceGroup -Name 'test-rg'

Next steps

In this quickstart, you:

  • Created a virtual network and internal Azure Load Balancer.

  • Created a private link service

To learn more about Azure Private endpoint, continue to: