|
| 1 | +--- |
| 2 | +title: Configure Private Endpoint network access to Azure Health Data Services de-identification service |
| 3 | +description: Learn how to restrict network access to your de-identification service. |
| 4 | +ms.date: 09/26/2024 |
| 5 | +ms.topic: how-to |
| 6 | +author: jovinson-ms |
| 7 | +ms.author: jovinson |
| 8 | +ms.service: azure-health-data-services |
| 9 | +ms.subservice: deidentification-service |
| 10 | +# customer intent: As an IT admin, I want to restrict network access to a de-identification service to a private endpoint in a virtual network. |
| 11 | +--- |
| 12 | + |
| 13 | +# Configure Private Endpoint network access to Azure Health Data Services de-identification service (preview) |
| 14 | +Azure Private Link enables you to access Azure services over a **private endpoint** in your virtual network. |
| 15 | + |
| 16 | +A private endpoint is a network interface that connects you privately and securely to an Azure service which supports Azure Private Link. The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. All traffic to the service is routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses the Microsoft backbone network, eliminating exposure from the public Internet. You can restrict connections to specific instances of an Azure service, giving you the highest level of granularity in access control. |
| 17 | + |
| 18 | +For more information, see [What is Azure Private Link?](../../private-link/private-link-overview.md) |
| 19 | + |
| 20 | +## Add a private endpoint using the Azure portal |
| 21 | + |
| 22 | +### Prerequisites |
| 23 | + |
| 24 | +> [!IMPORTANT] |
| 25 | +> Before enabling Private Endpoint access to your de-identification service (preview), you will need to [create a support request](/azure/azure-portal/supportability/how-to-create-azure-support-request) to request access to this feature for your subscription. |
| 26 | +> Create the request under **Azure Health Data Services > General question > De-identification service > Configuration and management** |
| 27 | +
|
| 28 | +- A de-identification service in your Azure subscription. If you don't have a de-identification service, follow the steps in [Quickstart: Deploy the de-identification service](quickstart.md). |
| 29 | +- Owner or contributor permissions for the de-identification service. |
| 30 | + |
| 31 | +### Create a private endpoint |
| 32 | + |
| 33 | +Follow the steps at [Quickstart: Create a private endpoint by using the Azure portal](/azure/private-link/create-private-endpoint-portal). |
| 34 | + |
| 35 | +- Instead of a webapp, create a private endpoint to a de-identification service (preview). |
| 36 | +- When you reach [Create a private endpoint](/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip#create-a-private-endpoint), step 5, enter resource type **Microsoft.HealthDataAIServices/deidServices**. |
| 37 | +- Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it automatically filters virtual networks that are in that region. Your de-identification service can be in a different region. |
| 38 | +- When you reach [Test connectivity to the private endpoint](/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip#test-connectivity-to-the-private-endpoint) steps 8 and 10, use the service URL of your de-identification service plus the `/health` path. |
| 39 | + |
| 40 | +### Configure private access |
| 41 | + |
| 42 | +> [!IMPORTANT] |
| 43 | +> Creating a private endpoint does **not** restrict public network access automatically. |
| 44 | +
|
| 45 | +When creating a de-identification service (preview), you can either allow public only (from all networks) or private only (only via private endpoints) access to the de-identification service. |
| 46 | + |
| 47 | +If you already have a de-identification service, you can configure network access by going to the service's Azure portal **Networking** page, and under **Public network access**, selecting **Disabled**. |
| 48 | + |
| 49 | +## Manage private endpoints using Azure portal |
| 50 | + |
| 51 | +When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory, you can approve the connection request provided you have sufficient permissions. If you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request. |
| 52 | + |
| 53 | +There are four provisioning states: |
| 54 | + |
| 55 | +| Service action | Service consumer private endpoint state | Description | |
| 56 | +|--|--|--| |
| 57 | +| None | Pending | Connection is created manually and is pending approval from the target resource owner. | |
| 58 | +| Approve | Approved | Connection was automatically or manually approved and is ready to be used. | |
| 59 | +| Reject | Rejected | The target resource owner rejected the connection. | |
| 60 | +| Remove | Disconnected | The target resource owner removed the connection. The private endpoint should be deleted for cleanup. | |
| 61 | + |
| 62 | +### Approve, reject, or remove a private endpoint connection |
| 63 | + |
| 64 | +1. Sign in to the Azure portal. |
| 65 | +2. In the search bar, type in **de-id**. |
| 66 | +3. Select the **de-identification service** that you want to manage. |
| 67 | +4. Select the **Networking** tab. |
| 68 | +5. Go to the appropriate following section based on the operation you want to: approve, reject, or remove. |
| 69 | + |
| 70 | +### Approve a private endpoint connection |
| 71 | +1. If there are any connections that are pending, you see a connection listed with **Pending** in the provisioning state. |
| 72 | +2. Select the **private endpoint** you wish to approve |
| 73 | +3. Select the **Approve** button. |
| 74 | +4. On the **Approve connection** page, add a comment (optional), and select **Yes**. If you select **No**, nothing happens. |
| 75 | +5. You should see the status of the private endpoint connection in the list changed to **Approved**. |
| 76 | + |
| 77 | +### Reject a private endpoint connection |
| 78 | + |
| 79 | +1. If there are any private endpoint connections you want to reject, whether it's a pending request or existing connection, select the connection and select the **Reject** button. |
| 80 | +2. On the **Reject connection** page, enter a comment (optional), and select **Yes**. If you select **No**, nothing happens. |
| 81 | +3. You should see the status of the private endpoint connection in the list changed to **Rejected**. |
| 82 | + |
| 83 | +### Remove a private endpoint connection |
| 84 | + |
| 85 | +1. To remove a private endpoint connection, select it in the list, and select **Remove** on the toolbar. |
| 86 | +2. On the **Delete connection** page, select **Yes** to confirm the deletion of the private endpoint. If you select **No**, nothing happens. |
| 87 | +3. You should see the status changed to **Disconnected**. Then, the endpoint disappears from the list. |
| 88 | + |
| 89 | +## Limitations and design considerations |
| 90 | + |
| 91 | +- For pricing information, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/). |
| 92 | +- This feature is available in all Azure public regions. |
| 93 | +- Because network traffic is blocked at the application layer, you can still ping the public endpoint of your service even though public network access is disabled. |
| 94 | + |
| 95 | +For more, see [Azure Private Link service: Limitations](../../private-link/private-link-service-overview.md#limitations) |
| 96 | + |
| 97 | +## Related content |
| 98 | + |
| 99 | +- Learn more about [Azure Private Link](../../private-link/private-link-service-overview.md) |
0 commit comments