Azure Private Link - Critical to Secure Azure PaaS Adoption

Common Security Concerns with Azure PaaS

• Most PaaS services rely on public endpoints. Traffic may traverse Internet. Data encryption in motion must be enforced with TLS.12 or above.
• Public Endpoints are visible on Internet even if you lock down the network access via Azure Service Endpoint.
• One mis-configuration on service firewall or access control could expose the company's asset to Internet.

Common Solutions to Securely Access PaaS

• ExpressRoute: let you create private connections between Microsoft datacenters and on premises. ExpressRoute connections do not go over the public Internet. Ideally it should be co-located at exchange providers.
• Service Endpoint: allow you to connect to an Azure service via Azure backbone network. However, it does not restrict a service at instance level. The service instance still has a public IP. What is more, service endpoint does not pass your edge firewall.
• Firewall and CASB: NGFW enables you to use FQDN and security groups to control network access. CASB can be used to detect threats and enforce compliance policies.
• Azure Polices: enforce security configurations and prevent mis-configuration

The best solution has to be Azure Private Link due to its simplicity and seamless integration with on-premise. Private IP of Azure PaaS must be one of the most requested features.

Private Link use cases

Private Link enables you to create a private endpoint in your virtual network. All traffic to the service is routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Private Link keeps traffic on the Microsoft global network. Several use cases are:

• User access is restricted to a specific resource, not the whole service.
• Private access to PaaS from on premise via ExpressRoute private peering or VPN forced tunneling. Traffic does not pass Internet.
• This is going to be huge for service providers. Service providers can now inject PaaS into customers' VNet without exposing traffic over Internet.

Limitations and Constraints

• It is in preview on selected PaaS
• Private Link endpoints do not co-exist with service endpoints on the same subnet
• NSG rules do not apply on Private Link endpoints. Subnets with Private Link can have NSG. Other traffic must follow NSG, but Private Link traffic will not.