Blog Azure Security & Compliance

Secure your Azure Network with Private Link and Endpoints

By default, many Azure services have public endpoints exposed to the internet. This increases exposure to attacks and accidental data leaks.

To mitigate this, Azure offers several options for connecting and accessing services privately over the Microsoft backbone. In this article, we’ll break down:

  • Azure Private Link
  • Private Endpoints
  • Private Link Service
  • Service Endpoints

You’ll learn how they differ, and how each can enable secure, private connectivity for your Azure services. 

Niels Kroeze

Author

Niels Kroeze IT Business Copywriter

Reading time 7 minutes Published: 10 October 2025

In short:

  • Private endpoints are virtual network cards for PaaS services in Azure. They provide a private IP address, are accessible from on-premise, and are the most secure way to protect your workload. They require DNS integration. Each private endpoint costs around $7–8 per month. 
  • Private link connects private endpoints to PaaS services. Traffic traverses the Microsoft backbone. 
  • Private link Service exposes an Azure standard load balancer to internal and external Azure environments with access controls. 
  • Service endpoints are enabled on PaaS services, controlling access to specific resources. They can be susceptible to data exfiltration. There is no cost, but on-premise access is not possible without a private endpoint. 
Azure Security Ebook (1)

Security E-book

Learn how to secure your Azure environment with different technologies, tools and best practices we apply daily with our software-driven customers.

Download now!

Azure Private link logo

What is Azure Private Link? 

Azure Private Link is a way to keep traffic for PaaS services on the Azure Network and off the public internet. Private link offers a way to route traffic directly over Microsoft’s backbone (private) network, avoiding the internet to access services securely.

  • It uses Microsoft's private network to access PaaS services securely. 
  • All customer network traffic inside or between Azure data centres is encrypted with IEEE 802.1AE MACsec security. This prevents man-in-the-middle attacks, snooping, or wiretapping. It ensures data transferred in Azure is safe. 
  • Removes internet access to PaaS services. 
  • Private access options are available for storage, AVD, and other PaaS services. 

Most Azure services are available over the public internet, by default. But we may want to limit some services so they're NOT available online. A storage account, for example, is available over the internet by default. However, you’d like to prevent this when hosting sensitive data that should never be online.  

You can leverage Private Link instead of the Internet to access services securely. But we need a way to connect services designed for public Internet access to our private virtual network in Azure. To achieve this, we need something called a private endpoint. 

 

Azure Private Endpoints logo

What is a Private Endpoint? 

A private endpoint is a virtual network interface (VIC) that connects PaaS services to a customer's virtual network. Once connected, we can access that service by its private IP on our private network.  

Take again a storage account: We can create a private storage endpoint attached to our virtual network and use it instead of the public endpoint to connect to the storage account. It becomes a private resource not available over the Internet. 

 

Private Link Service logo

What is a Private Link Service? 

A Private Link Service refers to a service hosted on a private network. It provides a way to host IaaS-based services, such as a web application, allowing connectivity over a private link.  

This is an excellent option if you have a service that you want to make available to clients or customers that should not be available over the Internet. The client isn’t required to create a VPN connection to the service to keep it private. 

Marc Bosgoed

Security scan

Need to increase security for your Azure environment? Grab your chance now and request a free Security Scan!

Yes I want a Security Scan

How Private Link and Private Endpoint connect

Let's now explore how these different network security technologies work by explaining it with a use case: 

Imagine two unrelated companies, each having its own tenant and environment.  

Company A has: 

  • One subscription: A1 
  • A virtual network (Vnet): A10 

Company B has:  

Two subscriptions: B1 and B2.  

  • In subscription B1, there are two virtual networks: B10 and B11. B10 contains a virtual machine.  
  • In the B2 subscription, there’s a virtual network: B20. 

In addition, they also have an on-premise environment with the DNS and other servers. The image below gives you a better idea of how this might look like: 

A screenshot of a website AI-generated content may be incorrect.

Private endpoint 

In the B1 subscription, if you create a storage account without a private endpoint, it’s accessed using the public DNS (e.g. blob.core.windows.net).  

  • Access from the VM in B10 routes over the Microsoft backbone, but you have limited control over this traffic regarding access and flow.  
  • Accessing the storage account from the on-premise environment is done through the public internet. The storage account must allow public connections which is why it’s not very secure as you have to traverse an external network 
  • Creating a private endpoint for the storage account is like adding a network card to the virtual network: 
  • It gets a private IP within the subnet. 
  • Private Link connects the private endpoint to the storage account. 
  • Traffic flows over the Microsoft backbone. 
  • You can control access with network security groups and firewall rules. 

Traffic from on-prem can route to the storage account privately through a VPN tunnel or ExpressRoute that connects on-prem B with the subnets of Company B, without passing through the public internet.

Note:

Proper DNS configuration is required for this setup to work. Learn how to configure this here

1723467494 Container Security Security Best Practices Cheat Sheet Cover (2)

Azure Security Best Practices Checklist

What's included in this 3-page checklist? Best practices for securing your workloads in Azure, including expert tips for IAM, data security to network security and more!

Download for free!

As you know, Microsoft also offers a feature called Private Link Service, which differs from a private endpoint. 

 

Private Link Service 

In subscription A1, assume that VMs have been created with a standard load balancer. We can enable the Private Link Service on the load balancer, which allows other private endpoints (internal or external environments) to connect to it. This doesn’t mean that everyone in the world can connect to it, though. 

  • There are restrictions and controls that you can enforce, such as RBAC (role-based access control). This works within the same tenant where you can decide which users can see the Private Link Service.  
  • You can restrict visibility based on subscription, including subscriptions outside the tenant.  
  • Anyone with the service alias can request a connection, which must be approved by an administrator. 

Example workflow: 

  • A VM in B10 wants to access the load balancer in A1. 
  • The VM creates a private endpoint linked to the Private Link Service. 
  • The administrator approves the connection.
  • Once approved, the VM in B10 can connect to the created private endpoint, which will use Private Link to connect to the Private Link Service, which is the standard load balancer in subscription A1. 

Diagram illustrating a Private Link service connection from Company A's Standard Load Balancer in Subscription A1 to Company B's network resources in Subscriptions B1 and B2.

 

Service Endpoint

Service Endpoints allow secure access to Azure services without private endpoints. 

For example, let’s say we create an SQL database without a private endpoint. By enabling service endpoints, the VM in the B10 subnet can access the database directly. The traffic still goes to the public endpoint of the SQL database, but it’s routed securely over the Microsoft backbone network instead of the public internet. 

The benefit is that you can lock down the SQL database to only accept connections from the private IP address of the VM. There are, however, some security limitations: 

  • Data exfiltration risk: If hackers compromise the VM in B10, they could try to copy data to their own storage account in a different subscription. Service endpoint policies can reduce this risk by restricting which storage accounts the VM can reach, but these policies don’t cover all Azure resources. 
  • No on-premise support: Service endpoints only work inside Azure. If you connect from on-premise, the traffic still goes over the public internet unless you use a private endpoint. 

FAQ about Azure Private Link and Endpoints

What is the difference between private endpoint and private link in Azure?

What services support Azure Private Link?

Azure Security Workshop

Want to learn how to secure your Azure cloud?

Then watch our Azure Security Webinar for practical tips, best practices, and demos on securing your Azure environment. 

Watch it now!