Quickstart: Create a private endpoint by using Azure PowerShell (2023)

  • Article
  • 7 minutes to read

Get started with Azure Private Link by using a private endpoint to connect securely to an Azure web app.

In this quickstart, you'll create a private endpoint for an Azure web app and then create and deploy a virtual machine (VM) to test the private connection.

You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.


  • An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.

  • An Azure web app with a PremiumV2-tier or higher app service plan, deployed in your Azure subscription.

    • For more information and an example, see Quickstart: Create an ASP.NET Core web app in Azure.

    • The example webapp in this article is named myWebApp1979. Replace the example with your webapp name.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install the Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create a resource group

An Azure resource group is a logical container where Azure resources are deployed and managed.

Create a resource group with New-AzResourceGroup:

New-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg' -Location 'eastus'

Create a virtual network and bastion host

A virtual network and subnet is required for to host the private IP address for the private endpoint. You'll create a bastion host to connect securely to the virtual machine to test the private endpoint. You'll create the virtual machine in a later section.

In this section, you'll:

## Configure the back-end subnet. ##$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix Create the Azure Bastion subnet. ##$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix Create the virtual network. ##$net = @{ Name = 'MyVNet' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' AddressPrefix = '' Subnet = $subnetConfig, $bastsubnetConfig}$vnet = New-AzVirtualNetwork @net## Create the public IP address for the bastion host. ##$ip = @{ Name = 'myBastionIP' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' Sku = 'Standard' AllocationMethod = 'Static' Zone = 1,2,3}$publicip = New-AzPublicIpAddress @ip## Create the bastion host. ##$bastion = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'myBastion' PublicIpAddress = $publicip VirtualNetwork = $vnet}New-AzBastion @bastion -AsJob

Create a private endpoint

An Azure service that supports private endpoints is required to set up the private endpoint and connection to the virtual network. For the examples in this article, we're using an Azure WebApp from the prerequisites. For more information on the Azure services that support a private endpoint, see Azure Private Link availability.

A private endpoint can have a static or dynamically assigned IP address.


You must have a previously deployed Azure WebApp to proceed with the steps in this article. For more information, see Prerequisites.

In this section, you'll:

  • Create a private link service connection with New-AzPrivateLinkServiceConnection.

  • Create the private endpoint with New-AzPrivateEndpoint.

  • Optionally create the private endpoint static IP configuration with New-AzPrivateEndpointIpConfiguration.

  • Dynamic IP
  • Static IP
## Place the previously created webapp into a variable. ##$webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg -Name myWebApp1979## Create the private endpoint connection. ## $pec = @{ Name = 'myConnection' PrivateLinkServiceId = $webapp.ID GroupID = 'sites'}$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec## Place the virtual network you created previously into a variable. ##$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'## Create the private endpoint. ##$pe = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'myPrivateEndpoint' Location = 'eastus' Subnet = $vnet.Subnets[0] PrivateLinkServiceConnection = $privateEndpointConnection}New-AzPrivateEndpoint @pe

Configure the private DNS zone

A private DNS zone is used to resolve the DNS name of the private endpoint in the virtual network. For this example, we're using the DNS information for an Azure WebApp, for more information on the DNS configuration of private endpoints, see Azure Private Endpoint DNS configuration.

In this section, you'll:

## Place the virtual network into a variable. ##$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'## Create the private DNS zone. ##$zn = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' Name = 'privatelink.azurewebsites.net'}$zone = New-AzPrivateDnsZone @zn## Create a DNS network link. ##$lk = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' ZoneName = 'privatelink.azurewebsites.net' Name = 'myLink' VirtualNetworkId = $vnet.Id}$link = New-AzPrivateDnsVirtualNetworkLink @lk## Configure the DNS zone. ##$cg = @{ Name = 'privatelink.azurewebsites.net' PrivateDnsZoneId = $zone.ResourceId}$config = New-AzPrivateDnsZoneConfig @cg## Create the DNS zone group. ##$zg = @{ ResourceGroupName = 'CreatePrivateEndpointQS-rg' PrivateEndpointName = 'myPrivateEndpoint' Name = 'myZoneGroup' PrivateDnsZoneConfig = $config}New-AzPrivateDnsZoneGroup @zg

Create a test virtual machine

To verify the static IP address and the functionality of the private endpoint, a test virtual machine connected to your virtual network is required.

In this section, you'll:

  • Create a sign-in credential for the virtual machine with Get-Credential

  • Create a network interface for the virtual machine with New-AzNetworkInterface

  • Create a virtual machine configuration with New-AzVMConfig, Set-AzVMOperatingSystem, Set-AzVMSourceImage, and Add-AzVMNetworkInterface

  • Create the virtual machine with New-AzVM

## Create the credential for the virtual machine. Enter a username and password at the prompt. ##$cred = Get-Credential## Place the virtual network into a variable. ##$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg## Create a network interface for the virtual machine. ##$nic = @{ Name = 'myNicVM' ResourceGroupName = 'CreatePrivateEndpointQS-rg' Location = 'eastus' Subnet = $vnet.Subnets[0]}$nicVM = New-AzNetworkInterface @nic## Create the configuration for the virtual machine. ##$vm1 = @{ VMName = 'myVM' VMSize = 'Standard_DS1_v2'}$vm2 = @{ ComputerName = 'myVM' Credential = $cred}$vm3 = @{ PublisherName = 'MicrosoftWindowsServer' Offer = 'WindowsServer' Skus = '2019-Datacenter' Version = 'latest'}$vmConfig = New-AzVMConfig @vm1 | Set-AzVMOperatingSystem -Windows @vm2 | Set-AzVMSourceImage @vm3 | Add-AzVMNetworkInterface -Id $nicVM.Id## Create the virtual machine. ##New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig


Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.

Test connectivity with the private endpoint

Use the VM you created in the previous step to connect to the webapp across the private endpoint.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines.

  3. Select myVM.

  4. On the overview page for myVM, select Connect, and then select Bastion.

  5. Enter the username and password that you used when you created the VM. Select Connect.

  6. After you've connected, open PowerShell on the server.

  7. Enter nslookup mywebapp1979.azurewebsites.net. Replace mywebapp1979 with the name of the web app that you created earlier. You'll receive a message that's similar to the following example:

    Server: UnKnownAddress: answer:Name: mywebapp1979.privatelink.azurewebsites.netAddress: mywebapp1979.azurewebsites.net
  8. In the bastion connection to myVM, open the web browser.

  9. Enter the URL of your web app, https://mywebapp1979.azurewebsites.net.

    If your web app hasn't been deployed, you'll get the following default web app page:

    Quickstart: Create a private endpoint by using Azure PowerShell (1)

  10. Close the connection to myVM.

Clean up resources

When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, virtual network, and the remaining resources.

Remove-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg'

Next steps

For more information about the services that support private endpoints, see:

What is Azure Private Link?

Top Articles
Latest Posts
Article information

Author: Merrill Bechtelar CPA

Last Updated: 11/27/2022

Views: 6210

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.