iCompaas Support

Profile Applicability:
 Level 2

Description:
 Private Endpoints enable secure and private connectivity to Azure services by mapping a private IP address from your virtual network to the service. Using Private Endpoints eliminates exposure of the service to the public internet, ensuring all traffic flows through your private network, reducing attack surface and improving data security.

Rationale:
 Accessing Azure services via Private Endpoints enforces network isolation and protects resources from unauthorized internet access. It also supports compliance requirements by keeping data within trusted network boundaries and enables fine-grained access control through network security groups (NSGs) and Azure Firewall.

Impact:

• Pros:
  

  • Eliminates public exposure of services.
    

  • Enhances security by restricting access to private networks.
    

  • Enables granular network controls and traffic monitoring.
    

• Cons:
  

  • Requires network architecture adjustments and proper DNS configuration.
    

  • May introduce complexity in managing private connections and endpoints.
    

Default Value:
 By default, many Azure services allow public access until Private Endpoints are configured.

Pre-requisites:

• Azure virtual network and subnet available for Private Endpoint deployment.
  

• Proper DNS setup to resolve private IP addresses for the service endpoint.
  

• Permissions to create Private Endpoints and configure network resources.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Open the Azure resource (e.g., Storage Account, SQL Server, or other service).
   

3. Under the Networking or Private Endpoint connections section, verify that Private Endpoints are configured.
   

4. Confirm that no public endpoint or public network access is enabled or allowed.
   

Using Azure CLI:

1. List Private Endpoints associated with the resource:

az network private-endpoint list --resource-group <resource-group> --query "[?contains(resourceGroup, '<resource-group>') && contains(name, '<resource-name>')]"

2. Confirm at least one Private Endpoint is present.

3. Verify public network access is disabled (if applicable) with commands relevant to the service.

Implementation Plan

Using Azure Portal:

1. Create a Private Endpoint within a virtual network subnet for the resource.
   

2. Configure DNS to resolve the service domain to the private IP of the Private Endpoint.
   

3. Disable public network access on the service to enforce exclusive private access.
   

4. Test connectivity from resources within the virtual network to the service via Private Endpoint.
   

Using Azure CLI:

1. Create Private Endpoint:

az network private-endpoint create --name <private-endpoint-name> --resource-group <resource-group> --vnet-name <vnet-name> --subnet <subnet-name> --private-connection-resource-id <resource-id> --group-ids <group-ids> --connection-name <connection-name>

2. Update DNS or use Azure Private DNS zones to ensure private name resolution.

3. Disable public access if applicable.

Backout Plan

Using Azure Portal:

1. Remove the Private Endpoint and revert to previous network access configurations.
   

2. Re-enable public network access if required.
   

Using Azure CLI:

1. Delete Private Endpoint:

az network private-endpoint delete --name <private-endpoint-name> --resource-group <resource-group>

2. Restore public access settings as necessary.

References:

• Azure Private Endpoint Documentation
  

• Secure Access to Azure Storage with Private Endpoints
  

• Private Link for Azure SQL Database