What is Azure Private Link?
Azure Private Link is a service that provides private connectivity from a virtual network (VNET) to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. As organizations look to refactor their legacy workloads to leverage Azure’s rich PaaS offerings, publish their own applications for customer consumption, or leverage partner solutions, private link offers a way for customer to do this over private connections rather than public endpoints.
Focusing on the use-case of consuming PaaS solutions via private link, Azure has also provided DNS integration features which allow access to these private endpoints much easier. When enabled, the DNS integration feature with private link creates a private DNS zone which contains the private endpoint IP address for the FQDN of the service being accessed.
As PaaS services are initially provisioned with FQDNs that resolve to public IP addresses, this allows for easier integration at the application level for accessing these private link resources. Using this method, applications owners do not have to make any changes when accessing their BLOB storage account or SQL Database but can access the same FQDN and allow Azure to redirect the traffic to the private IP rather than the public IP.
This solution works great when the compute nodes accessing these services are located within Azure however, additional steps must be taken if the source is on-prem or a remote user connected via VPN for example. In these instances, the DNS integration that Azure provides is a little limited as those users do not have visibility into the Azure private DNS zone. This problem also exists if those sources are in other cloud providers such as AWS or GCP.
How can Aviatrix help with Azure Private Link?
Aviatrix Multi-Cloud Private Link (AMP) for PaaS is a solution designed to help fill in some of these gaps in the current private link for PaaS deployment models for Azure. Leveraging the Aviatrix platform and third-party integrations, Aviatrix has provided the architecture below to provide easy access to these private link enabled PaaS services, regardless of where the source resides. Whether a VPN user connecting remotely, an on-prem user from a data center, or from an application residing in AWS, the AMP architecture for Azure can easily provide user private access to PaaS resources leveraging Private Link.
The AMP architecture leverages Azure Private Link with DNS Integration and extends this functionality by using the Aviatrix platform to provide transit capabilities to all sources while leveraging a DNS proxy solution to handle DNS resolution for non-Azure sources. Using this architecture, remote VPN users, on-prem DC or branch users, and even users or applications in other clouds can leverage private connectivity to a PaaS resource using Private Link in Azure.
In addition to providing connectivity from all sources, the Aviatrix platform provides additional network and security features to these private link data flows. Private endpoints can be isolated to a secured VNET which is only accessible through a NGFW for example. In addition, all of the troubleshooting and visibility options native to the Aviatrix platform can be applied to these private endpoints for day 2 operational control.
To learn more about how the Aviatrix AMP Architecture can help your organization leverage Azure private link for private access to PaaS resources or see a demo of this architecture, please reach out to info@aviatrix.com and schedule some time with our solutions architects today!