5.1. Azure Private Link

How do you connect to Azure SQL Database without that traffic ever touching the public internet? Private Link brings Azure PaaS services into your VNet, giving them a private IP address that only you can reach.

💡 First Principle: Private Endpoints give PaaS services a private IP address in your VNet. Traffic flows over Microsoft's backbone, never the internet. This is the modern approach to securing PaaS services—superior to Service Endpoints for most scenarios.

What breaks without proper configuration: DNS still resolves to public IPs (the most common issue). On-premises can't resolve private endpoint names. Public access remains enabled on the resource, defeating the purpose.

Think of Private Link like installing a private door from your building directly into a service provider's building. You never need to go outside (the internet) to access their services. Consider this: before Private Link, your storage account had a public endpoint that anyone on the internet could attempt to reach (even if authentication blocked them). With Private Link, that storage account gets an IP in your VNet—it's simply unreachable from outside.