You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-app-configuration/concept-private-endpoint.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,21 @@
1
1
---
2
-
title: Using Private Endpoints for Azure App Configuration
2
+
title: Using private endpoints for Azure App Configuration
3
3
description: Secure your App Configuration store using private endpoints
4
4
services: azure-app-configuration
5
5
author: lisaguthrie
6
6
ms.service: azure-app-configuration
7
7
ms.topic: conceptual
8
-
ms.date: 3/4/2020
8
+
ms.date: 3/12/2020
9
9
ms.author: lcozzens
10
10
11
11
#Customer intent: As a developer using Azure App Configuration, I want to understand how to use private endpoints to enable secure communication with my App Configuration instance.
12
12
---
13
-
# Using Private Endpoints for Azure App Configuration
13
+
# Using private endpoints for Azure App Configuration
14
14
15
-
You can use [private endpoints](../private-link/private-endpoint-overview.md) for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a [private link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the VNet address space for your App Configuration service. Network traffic between the clients on the VNet and the App Configuration store account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
15
+
You can use [private endpoints](../private-link/private-endpoint-overview.md) for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a [private link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the VNet address space for your App Configuration service. Network traffic between the clients on the VNet and the App Configuration store traverses over the VNet using a private link on the Microsoft backbone network, eliminating exposure to the public internet.
16
16
17
17
Using private endpoints for your App Configuration service enables you to:
18
-
- Secure your application configuration details by configuring the firewall to block all connections to App Configuration on the public endpoint.
18
+
- Secure your application configuration details by configuring the firewall to block all connections to App Configuration on the public endpoint.
19
19
- Increase security for the virtual network (VNet) ensuring data doesn't escape from the VNet.
20
20
- Securely connect to the App Configuration service from on-premises networks that connect to the VNet using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.
21
21
@@ -28,7 +28,7 @@ A private endpoint is a special network interface for an Azure service in your [
28
28
29
29
Applications in the VNet can connect to the configuration service over the private endpoint **using the same connection strings and authorization mechanisms that they would use otherwise**. Private endpoints can be used with all protocols supported by the App Configuration store.
30
30
31
-
While App Configuration doesn't support service endpoints, private endpoints can be created in subnets that use [Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). Clients in a subnet can connect securely to an App Configuration store using private endpoint while using service endpoints to access others.
31
+
While App Configuration doesn't support service endpoints, private endpoints can be created in subnets that use [Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). Clients in a subnet can connect securely to an App Configuration store using the private endpoint while using service endpoints to access others.
32
32
33
33
When you create a private endpoint for a service in your VNet, a consent request is sent for approval to the service account owner. If the user requesting the creation of the private endpoint is also an owner of the account, this consent request is automatically approved.
34
34
@@ -38,7 +38,7 @@ Service account owners can manage consent requests and private endpoints through
38
38
39
39
When creating a private endpoint, you must specify the App Configuration store to which it connects. If you have multiple App Configuration instances within an account, you need a separate private endpoint for each store.
40
40
41
-
#### Resources
41
+
#### Resources for creating private endpoints
42
42
43
43
For more detailed information on creating a private endpoint for your App Configuration store, refer to the following articles:
44
44
@@ -55,20 +55,20 @@ Azure relies upon DNS resolution to route connections from the VNet to the confi
55
55
56
56
## DNS changes for Private Endpoints
57
57
58
-
When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix `privatelink`. Azure also creates a [private DNS zone](../dns/private-dns-overview.md), corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
58
+
When you create a private endpoint, the DNS CNAME resource record for the service is updated to an alias in a subdomain with the prefix `privatelink`. Azure also creates a [private DNS zone](../dns/private-dns-overview.md) corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
59
59
60
-
When you resolve the endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the service. When resolved from within the VNet hosting the private endpoint, the endpoint URL resolves to the private endpoint.
60
+
When you resolve the endpoint URL from outside the VNet, it resolves to the public endpoint of the service. When resolved from within the VNet hosting the private endpoint, the endpoint URL resolves to the private endpoint.
61
61
62
62
You can control access for clients outside the VNet through the public endpoint using the Azure Firewall service.
63
63
64
64
This approach enables access to the store **using the same connection string** for clients on the VNet hosting the private endpoints as well as clients outside the VNet.
65
65
66
-
If you are using a custom DNS server on your network, clients must be able to resolve the FQDN for the storage account endpoint to the private endpoint IP address. You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `AppConfigInstanceA.privatelink.azconfig.io` with the private endpoint IP address.
66
+
If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `AppConfigInstanceA.privatelink.azconfig.io` with the private endpoint IP address.
67
67
68
68
> [!TIP]
69
69
> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the store name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.
70
70
71
-
#### Resources
71
+
#### Resources for configuring your DNS server with private endpoints
72
72
73
73
For more information on configuring your own DNS server to support private endpoints, refer to the following articles:
0 commit comments