When you use other internet-facing services, like Azure Front Door, it's important to consider whether they support Private Link for inbound traffic. You can use that service's Private Link capabilities to expose your endpoint. Many Azure PaaS services support Private Link for inbound connectivity, even across different Azure subscriptions and Azure Active Directory tenants. In this case, a web application firewall and application routing are likely already part of your virtual machine-based workload. When your solution is based on virtual machines that are behind a standard load balancer, you can expose your endpoint via the Private Link service. Consider your overall network topology and the paths that each tenant's traffic follows. You might choose to deploy your solution to be both internet-facing and also to be exposed through private endpoints. Private Link in combination with public-facing services Some Azure services block public internet traffic, when a private endpoint is enabled, which can require that you change your deployment and management processes. For example, if you use Private Link with Azure Application Gateway, you must provision a dedicated subnet, in addition to the standard subnet for the Application Gateway resource.Ĭarefully test your solution, including your deployment and diagnostic configuration, with your Private Link configuration enabled. Review Azure subscription and service limits, quotas, and constraints to understand the limits to the number of endpoints and connections.Īdditionally, some services require a specialized networking configuration to use Private Link. These limits might determine how many tenants you can connect to your resources by using Private Link. In this configuration, you can generally connect a higher number of private endpoints, but limits still apply. If you run virtual machines, you can attach a Private Link service instance to a standard load balancer (SLB). If you use a platform as a service (PaaS) application platform, it's important be aware of the maximum number of private endpoints that a single resource can support. LimitsĬarefully consider the number of private endpoints that you can create, based on your solution's architecture. Additionally, some services don't support Private Link for inbound traffic. The application platform you use determines many aspects of your Private Link configuration, and the limits that apply. They also include Azure Application Gateway or Azure API Management, which are network and API gateways. These services include application hosting platforms like Azure App Service. You can also use Private Link with other Azure services. When you use Private Link, it's important to consider the service that you want to allow inbound connectivity to.Īzure Private Link service is used with virtual machines behind a standard load balancer. Private Link provides the TCP Proxy Protocol v2 feature, which enables a multitenant service to know the tenant that sent the request, and even the original IP address from the source network. This means traffic appears to originate from within the multitenant service's own virtual network IP address space. When traffic arrives into the multitenant solution, it has already been translated. Private Link performs NAT on traffic, even when tenants and the service provider all use overlapping IP address ranges: Each tenant can use a private IP address within their own respective network, and the traffic flows to the multitenant solution transparently. When you use Private Link to enable connectivity from each tenant to the multitenant solution, each tenant's traffic automatically has network address translation (NAT) applied. You can't directly connect or peer your networks together because the IP address ranges overlap. Suppose tenant A uses their own on-premises network with the same IP address space, and coincidentally tenant B also uses the same IP address space. For example, your multitenant solution might use the IP address space of 10.1.0.0/16. Private Link provides powerful capabilities for multitenant solutions, where tenants can access the service through private address spaces.ĭifferent tenants frequently use the same or overlapping private IP address spaces. Key considerations Overlapping IP address spaces In this article, we review how you can configure Private Link for an Azure-hosted multitenant solution. Tenants can also use Private Link to access your solution from their on-premises environments, when they're connected through virtual private network gateways (VPN Gateway) or ExpressRoute.Īzure Private Link is used by many large SaaS providers, including Snowflake, Confluent Cloud, and MongoDB Atlas. You can use Private Link to enable private connectivity from your tenants' Azure environments.
Azure Private Link provides private IP addressing for Azure platform services, and for your own applications that are hosted on Azure virtual machines.
0 kommentar(er)
