Share via

Azure Private Links - VNETS and Subnets

Freestone 10 Reputation points
2025-10-20T09:50:05.6133333+00:00

Hello.

I'm hoping for some clarification on private links in MS Azure, primarily around the vnets and subnets bit. I have 1 vnet and 5 subnets.

Do I need to create private links for each subnet I have in Azure. I want to restrict public access from all networks for my Azure Disks, to do this I need to enable Private Access and Disk Access Resources, doing so requires me to create private links, my questions is, do I need to create disk accesses and private links for each subnet?

Any help would be appreciated.

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 67,980 Reputation points MVP Volunteer Moderator
    2025-10-20T12:35:23.67+00:00
    1. Private Links vs Private Endpoints
    • Private Link is the service that allows private connectivity to Azure resources like Azure Disks, Storage Accounts, SQL, etc.
    • Private Endpoint is the network interface in your VNet/subnet that connects privately to that service.

    So, when you say “create private links,” technically you are creating private endpoints in your subnet that use the private link to access the resource.

    1. How Private Endpoints work with VNets/subnets
    • One private endpoint is tied to a single subnet.
    • Traffic from resources in that subnet to the service goes over the private link.
    • Other subnets in the same VNet cannot automatically use that private endpoint; if you need private access from another subnet, you typically create another private endpoint in that subnet.

    There's an exception: if you enable private DNS zones correctly and your resources in other subnets route traffic to the private endpoint, they can resolve the private IP and use the same endpoint. This is often the preferred approach to avoid creating multiple endpoints unnecessarily.

    1. Disk access and Private Endpoint requirements

    For Azure Disks (managed disks):

    1. Enable Private Access on the Disk resource.
    2. Create a Disk Access resource (this is a kind of service container for private endpoints).
    3. Create Private Endpoints under that Disk Access to connect your VNet.

    You do not need one Disk Access per subnet. One Disk Access can host multiple private endpoints. You only need one private endpoint per subnet if you want resources in that subnet to have private access to the disk.

    So, for your setup:

    • 1 VNet with 5 subnets
    • 1 Disk Access resource is enough for all disks
    • You only need private endpoints in the subnets that will access the disks. Subnets with no need to access the disks don't need a private endpoint.
    1. Practical recommendation
    • Create one Disk Access resource for all your Azure Disks.
    • Decide which subnets actually need to access these disks privately.
    • Create a private endpoint in each of those subnets pointing to the Disk Access resource.
    • Link a private DNS zone for automatic name resolution to the private IPs. This allows resources in other subnets to resolve the disk endpoint if you want to centralize access.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.