Private links – What are they? Why do you need them? How do you implement them?
Keeping your environment secure is important, even in the cloud. Some organisations or environments required private and secure communication even for their monitoring solutions, Azure Private Link has recently been enabled for Azure Monitor
Because public networks are just that – public. They are open to anyone who wishes to use them and as such, any communication passing through them is potentially visible to anyone who cares to look (also known as man in the middle).
As an organisation, this is a big security concern. We’ve all heard the horror stories of companies that have had their confidential data compromised by hackers who were able to gain access to their networks through open/unprotected Wi-Fi networks. It’s a costly mistake and PR nightmare for any brand, which is why you need to take extra steps to protect your organisation’s data, even the monitoring data.
Today, we’ll discuss private links and how to set them up using a Domain Name System (DNS). By the end of this article, you’ll know how to create a private link and use it with Azure Monitor. Let’s explore
What are private links?
This is where private links come in. Private links work by setting up a private endpoint within your internal DNS environment.
Traffic between your network and the service using internal IP addressing and travels the Microsoft backbone network. This eliminates the requirement to expose service to the public internet. You can create your own private link service in your Azure virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned services.
Setup Azure Monitor private link
Azure Monitor is a great solution for monitoring your cloud environment, but it can be difficult to keep your data secure when you’re using it.
One of the best ways to keep your data safe is to use a private link between your Azure Monitor environment and your on-premises environment. This will prevent traffic from passing between your environment and the Azure Monitoring platform through the public network.
From the Azure Portal, go to Azure Monitor:
- Within the settings section select “Private Link Scopes”
- Click Create
- Provide your subscription, resource group and instance detail, and select Private Only
For the initial setup, it’s recommended to leave it as open. Once you’ve reconfigured all your endpoints to use the private endpoint, then finally come back to your AMPLS and select Private Only.
Implementing a private link into your DNS
We’ll now focus on implementing Private Link and integrating it within Active Directory DNS Servers that are on-prem. Implementing this in Azure DNS can be done by just completing step 2.
To get the name resolution working, you’ll need the following:
- DNS Server on-prem
- DNS Server within Azure Virtual Network (This will soon be replaced by DNS Private Resolver which is now in Public Preview)
- Create a conditional forwarder within DNS server for privatelink.monitor.azure.com and point those towards your Azure VM, which is a DNS relay in cloud.
- On your Azure VM DNS server, configure its DNS forwarders to Azure’s public DNS services IP 22.214.171.124.
Private links are a great way to keep your data safe and secure, and using DNS is one of the best ways to set them up. In this article, we’ve shown you how to create a private link using DNS and how to use it securely with Azure Monitor.
By following the steps in this guide, you’ll be well on your way to implementing a private link into your network. Ready to get started with Azure? Check out our services here.