Link resources between different Azure Accounts using Microsoft Secure Backbone Network

We came across a problem recently, where a customer requested to access our resources in Azure account privately and other requirement was that data shouldn’t leave Microsoft Network (due to data sensitivity). Most of you might be thinking that’s a simple task to create a resource — resource link sitting in different Azure tenant. Some of the most common ways are as listed below

• VNET Peering — However Microsoft only allow one VNET peering in a virtual network and what if that is already consumed? Also what if both VNET have overlapping IP address? 😕 😵
• IPSec Tunnel — However even we create the private tunnel to link resource privately, the data will be transferring in a secure tunnel over the public Internet (and will leave Microsoft Backbone Network) 😑

There might be other ways around the table. However we came to strategy to utilize the power of Azure Private Link Services to solve this use case.

Azure Private Link

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Azure Private Link is now generally available. Both Private Endpoint and Private Link service (service behind standard load balancer) are generally available.

Azure Endpoint

A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service powered by Azure Private Link. By enabling a private endpoint, you’re bringing the service into your virtual network.

Implementation

The fun part begins here, Microsoft has great documentation about it however it took hours to understand that, so I thought to write this blog to explain the flow.

As shown in figure above we have two different Azure account. Left-one VNET represent the customer Azure account and the right-one represent the service provider account (in this case its us).

Create a Internal Load Balancer and attach the VM on backend Pool having the custom web/app that you want to provide access to your customer. I’m not going in detail about setting up load balancer, if you are not familiar with that click here.

Setup the Azure Private Link Service — Go to Azure and Search for Private link and then click on Private Link Service → Create

On first page select subscription, region and give name and click Next. Note that Private link service uses the Load Balancer to route the incoming traffic toward the resources attached with LB backend pool. So from drop down list select the LB (created in step 1) and select the Vnet where the resources are located.

On next page under Access Security, select Restricted by Subscription and enter the subscription ID of customer, so this way you can restrict the traffic from that subscription only. Then click on Review & Create. So we have created the private link inside the service provider Azure tenant.

Create End Point — Ask your customer to create a Endpoint in his subscription (which we allowed in Private Link Service) to request for Approval. Go to Azure -> Private Endpoint -> Create -> Select Subscription -> Resource Group -> Region -> and give Name to identify the endpoint — Next. Under Resource select option which says Connect to Azure resource by resource ID or alias. Request your service provider to provide the alias of Private Link Service which they created in their tenant.

Once request made successfully. Service provider will receive request in Private Link Service under Private endpoint connection and they can Approve or Reject the request accordingly

Finally after registration, our connectivity has been established. Endpoint has its own interface IP address which can be used by customer and it will forward the request to Private Link Service using Microsoft highspeed Backbone Network which will be passed to Internal Load Balancer to fulfill the request

Now customer can dial their local Endpoint IP address and this will pass your request to Internal Load Balancer using the Private Link Service sitting in different subscription 🆒

If you like this article please hit the clap icon 👏 . Also if you have any other possible way to achieve it, I would love to know about it ❤️ .

Please closing, just a simple question . How about connecting two different SaaS service (Storage Account, SQL Database, Web Apps etc) using Microsoft Private Backbone Network ❓ If you wanna know the answer then please stay tune, I will explain that in another post 😏