Microsoft Security Private Link for Microsoft Defender for Cloud (Preview)

Microsoft Security Private Link allows workloads in your virtual network to connect to Microsoft Defender for Cloud. You enable this connection by creating a Security Private Link resource in your subscription and private endpoints in your Azure virtual networks that connect to it.

With private endpoints, all security-related traffic from your workloads traverses the Microsoft backbone network without exposure to the public internet. This includes telemetry from Defender agents, sensors, add-ons, and extensions.

Supported scenarios

Microsoft Security Private Link supports the following scenarios:

• Network-isolated environments
  Protect workloads in isolated or restricted networks where outbound internet access is limited or not permitted.

• Hybrid and on-premises connectivity
  Securely connect on-premises or hybrid environments to Microsoft Defender for Cloud by using VPN or ExpressRoute with private peering.

Connectivity architecture

Microsoft Security Private Link uses Azure Private Endpoints to establish private connectivity between your virtual network and Defender for Cloud. This allows workloads to connect to Defender for Cloud endpoints using their existing fully qualified domain names (FQDNs) and authorization model.

How it works

• You create a private endpoint in your virtual network and assign it an IP address from the virtual network address space.

• All traffic between your workloads and Defender services flows through the Microsoft backbone network, never traversing the public internet.

• Multiple Defender services can share a single Security Private Link resource, simplifying network architecture.

Roles and permissions

Microsoft Security Private Link uses Azure role-based access control (RBAC) to manage access to the Security Private Link resource and private endpoint connections. The following roles are typically involved:

• Private Link resource owner
  Owns the Microsoft Security Private Link resource and can approve, reject, or delete private endpoint connection requests.

• Network Contributor
  Can create private endpoints within a virtual network.

• Security Admin
  Can approve, reject, or delete private endpoint connections but can't create private endpoints in a virtual network unless extra network permissions are granted.

These roles can be assigned to different users or teams to separate network management from security governance responsibilities.

Approval workflow

Private endpoint connections to Microsoft Security Private Link resources follow the standard Azure Private Link approval workflow.

When a private endpoint is created, a connection request is sent to the owner of the Microsoft Security Private Link resource. The resource owner can approve or reject the request from the Private endpoint connections tab in the Azure portal.

If the user requesting the private endpoint is also an owner of the Security Private Link, the request is automatically approved.

Approved and pending connections can be managed at any time through the Private Link resource in the Azure portal.

DNS configuration

When you create a private endpoint, a private DNS zone is provisioned by default that corresponds to the Defender for Cloud private Link subdomain *.defender.microsoft.com.

When workloads connect to Defender service endpoints from within the virtual network with private endpoints configured, the FQDN resolves to the private IP address of the endpoint. Connections from outside the virtual network (if public access is still enabled) resolve to the public endpoint.

Each Microsoft Defender for Cloud service uses specific domain endpoints. For example:

If you're using a custom DNS server, configure delegation or A records to resolve FQDNs to the private endpoint IP address.

Connectivity comparison with Microsoft Security Private Link

Next steps

• Configure private endpoints with Microsoft Security Private Link

• Learn more about Azure Private Link.