How to Create a Private Link Service in Azure

Ajin JosephAjin Joseph
4 min read

Sure, Ajin! Here's the full blog post in raw Markdown format—you can directly copy and paste this into your post editor on https://ajin-cloudjourney.hashnode.dev:


---
title: "How to Create a Private Link Service in Azure"
subtitle: "Expose internal services privately and securely using Azure Private Link"
tags: ["azure", "networking", "privatelink", "cloud-security"]
cover: "https://learn.microsoft.com/en-us/azure/private-link/media/private-link-overview/private-link-overview.png"
---

Azure Private Link enables you to expose your services privately—over the Azure backbone—without requiring public IPs. This blog walks you through **creating a Private Link Service (PLS)** in Azure, which can be consumed by other virtual networks or tenants using Private Endpoints.

---

## 🧠 What is Azure Private Link Service?

A **Private Link Service** lets you **expose a service hosted behind a Standard Load Balancer** (e.g., a VM, VMSS, or NVA) to **other VNets or tenants** securely, via Private Endpoints.

This ensures:
- No public IP is needed to expose your service
- Data remains on the Microsoft backbone
- You control who can access the service

---

## 🛠 Prerequisites

To get started, ensure the following:

-**Standard SKU Load Balancer**
- ✅ A running **backend service** (e.g., VM)
- ✅ A **Virtual Network and Subnet**
- ✅ Sufficient **RBAC permissions** (Contributor or Owner)

---

## 🚀 Step-by-Step Guide

### 1️⃣ Create a Standard Load Balancer

> Private Link Service only supports **Standard SKU** Load Balancer.

- **Frontend IP**: Use private or public
- **Backend Pool**: Add your backend VMs
- **Health Probe**: Configure HTTP/TCP probe
- **Load Balancing Rule**: Set up rules to forward traffic

```bash
az network lb create \
  --resource-group myRG \
  --name myLoadBalancer \
  --sku Standard \
  --frontend-ip-name myFrontendConfig \
  --backend-pool-name myBackendPool \
  --vnet-name myVnet \
  --subnet mySubnet

2️⃣ Configure Your Backend Service

Ensure your VM(s):

  • Are reachable from the Load Balancer
  • Have correct NSG rules for LB probes and inbound traffic
  • Are running your service on a desired port (e.g., TCP 443)

📌 Azure Portal

  1. Search for "Private Link Service" and click Create
  2. Provide basic details like:

    • Name
    • Region (must match Load Balancer)
    • VNet and Subnet
  3. Select the Load Balancer Frontend IP
  4. Assign the Backend Pool
  5. Configure auto-approval or specify subscription allowlist

📌 Azure CLI

az network private-link-service create \
  --name myPLS \
  --resource-group myRG \
  --vnet-name myVnet \
  --subnet mySubnet \
  --lb-name myLoadBalancer \
  --lb-frontend-ip-configs myFrontendConfig \
  --lb-backend-pool-name myBackendPool

4️⃣ Consumer Creates a Private Endpoint

  • Consumer uses your PLS alias or resource ID
  • Creates a Private Endpoint in their own VNet
  • You get a connection request, which you approve (unless auto-approved)

🔐 Security Best Practices

  • 🛡️ Whitelist allowed subscriptions for access
  • 🔍 Use Network Watcher to monitor traffic
  • 🔐 Ensure NSGs allow only required traffic
  • 🧾 Enable diagnostic logging for traceability

🧩 Real-World Use Case

Imagine you’re a SaaS provider hosting a service on a VM in Azure. Your client (e.g., a bank or enterprise) wants to connect securely, without exposing your service to the internet.

Solution:

  • You create a PLS behind a Load Balancer
  • Share the PLS alias with the client
  • They create a Private Endpoint from their network
  • You approve it, and traffic flows securely via Azure backbone 💡

📘 Summary

ComponentPurpose
Load BalancerFronts your backend service
PLSExposes service to be consumed privately
Private EndpointConsumer’s way to access your service over Private IP
NSG RulesEnforce traffic policies

📦 Tech Stack Used

  • Azure Virtual Network (VNet)
  • Azure Load Balancer (Standard SKU)
  • Azure Private Link Service (PLS)
  • Azure Private Endpoint
  • Azure CLI / Portal

📅 What’s Next?

In future posts, I’ll cover:

  • ✅ Automating PLS creation with Bicep/Terraform
  • ✅ Using PLS with Azure Kubernetes Service (AKS)
  • ✅ Auditing and monitoring Private Link access

Stay tuned! 🚀


If you found this helpful, do give a 💖 or drop a comment on @ajin-cloudjourney. Follow for more Azure deep dives!

```

🙋‍♂️ About Me

I'm a Cloud Solution Architect working with Azure, AKS, and secure SaaS platforms. Follow me for more deep dives on Kubernetes, cloud architecture, and DevOps.

Connect: LinkedIn | Blog: ajin-cloudjourney.hashnode.dev

0
Subscribe to my newsletter

Read articles from Ajin Joseph directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ajin Joseph
Ajin Joseph