Table of Contents
This article explains how you can use Azure Private Link to restrict access for managing resources in your subscriptions.
Private links enable you to access Azure services over a private endpoint in your virtual network. When you combine private links with Azure Resource Manager’s operations, you block users who aren’t at the specific endpoint from managing resources. If a malicious user gets credentials to an account in your subscription, that user can’t manage the resources without being at the specific endpoint.
Private link provides the following security benefits:
- Private Access – users can manage resources from a private network via a private endpoint.
- Data exfiltration – users are denied access to resources not included in the scope.
Note
Azure Kubernetes Service (AKS) currently doesn’t support the ARM private endpoint implementation.
Understand architecture
For this release, you can only apply private link management access at the level of the root management group. This limitation means private link access is applied across your tenant.
There are two resource types you’ll use when implementing management through a private link.
- Resource management private link (Microsoft.Authorization/resourceManagementPrivateLinks)
- Private link association (Microsoft.Authorization/privateLinkAssociations)
The following image shows how to construct a solution that restricts access for managing resources.
The private link association extends the root management group. The private link association and the private endpoints reference the resource management private link.
Workflow
To set up a private link for resources, use the following steps. The steps are described in greater detail later in this article.
- Create the resource management private link.
- Create a private link association. The private link association extends the root management group. It also references the resource ID for the resource management private link.
- Add a private endpoint that references the resource management private link.
After completing those steps, you can manage Azure resources that are within the hierarchy of the scope. You use a private endpoint that is connected to the subnet.
You can monitor access to the private link. For more information, see Logging and monitoring.
Required permissions
To set up the private link for resource management, you need the following access:
- Owner on the subscription. This access is needed to create resource management private link resource.
- Owner or Contributor at the root management group. This access is needed to create the private link association resource.
- The Global Administrator for the Azure Active Directory doesn’t automatically have permission to assign roles at the root management group. To enable creating resource management private links, the Global Administrator must have permission to read root management group and elevate access to have User Access Administrator permission on all subscriptions and management groups in the tenant. After getting the User Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at the root management group to the user creating the private link association.
Create resource management private link
To create resource management private link, send the following request:
PUT
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01
In the request body, include the location you want for the resource:
{
"location":"{region}"
}
The operation returns:
{
"id": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{name}",
"location": "{region}",
"name": "{rmplName}",
"properties": {
"privateEndpointConnections": []
},
"resourceGroup": "{rgName}",
"type": "Microsoft.Authorization/resourceManagementPrivateLinks"
}
Note the ID that is returned for the new resource management private link. You’ll use it for creating the private link association.
Create private link association
To create the private link association, use:
PUT
https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Authorization/privateLinkAssociations/{GUID}?api-version=2020-05-01
In the request body, include:
{
"properties": {
"privateLink": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}",
"publicNetworkAccess": "enabled"
}
}
The operation returns:
{
"id": {plaResourceId},
"name": {plaName},
"properties": {
"privateLink": {rmplResourceId},
"publicNetworkAccess": "Enabled",
"tenantId": "{tenantId}",
"scope": "/providers/Microsoft.Management/managementGroups/{managementGroupId}"
},
"type": "Microsoft.Authorization/privateLinkAssociations"
}
Add private endpoint
This article assumes you already have a virtual network. In the subnet that will be used for the private endpoint, you must turn off private endpoint network policies. If you haven’t turned off private endpoint network policies, see Disable network policies for private endpoints.
To create a private endpoint, use the following operation:
PUT
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/privateEndpoints/{privateEndpointName}?api-version=2020-11-01
In the request body, set the privateServiceLinkId to the ID from your resource management private link. The groupIds must contain ResourceManagement. The location of the private endpoint must be the same as the location of the subnet.
{
"location": "westus2",
"properties": {
"privateLinkServiceConnections": [
{
"name": "{connection-name}",
"properties": {
"privateLinkServiceId": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{name}",
"groupIds": [
"ResourceManagement"
]
}
}
],
"subnet": {
"id": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/{subnet-name}"
}
}
}
The next step varies depending whether you’re using automatic or manual approval. For more information about approval, see Access to a private link resource using approval workflow.
The response includes approval state.
"privateLinkServiceConnectionState": {
"actionsRequired": "None",
"description": "",
"status": "Approved"
},
If your request is automatically approved, you can continue to the next section. If your request requires manual approval, wait for the network admin to approve your private endpoint connection.
Next steps
To learn more about private links, see Azure Private Link.
