แก้ไข

แชร์ผ่าน

Configure private endpoints with Microsoft Security Private Link (Preview)

Use a private endpoint with Microsoft Security Private Link to connect workloads in your private network to Microsoft Defender for Cloud over Azure Private Link.

Note

Microsoft Security Private Link isn't supported in sovereign cloud regions, such as Azure Government and Azure operated by 21Vianet.

Prerequisites

Before you begin, make sure that:

You can create a private endpoint while creating a Security Private Link resource in the Azure portal.

If you already have a Security Private Link resource, create a private endpoint for an existing Security Private Link resource.

  1. Sign in to the Azure portal.

  2. Select Create a resource.

  3. Search for Security Private Link.

  4. Under Security Private Link select Create.

    Screenshot of the Azure Marketplace showing the Security Private Link tile with the Create button.

  5. Select a subscription and an existing resource group, or create a new one.

  6. If needed, select a resource group location.

  7. Enter a name.

  8. Select Next: Networking.

    Note

    Microsoft Security Private Link currently supports the containers sub-resource, which is used by the Defender for Containers plan.

  9. Select Create a private endpoint.

  10. Enter a name and a location.

    Screenshot of the Create Security Private Link wizard on the Networking tab, showing the Create a private endpoint pane with sub-resource and Private DNS integration.

  11. Select containers as the target sub-resource.

  12. Select the virtual network and subnet.

  13. Enable Private DNS integration to create a private DNS zone automatically.

  14. Select Add.

  15. Select Next: Tags and add any required tags.

  16. Select Review + create

  17. Select Create.

If you already have a Security Private Link resource, you can create a private endpoint separately and connect it to that resource.

  1. Sign in to the Azure portal.

  2. Navigate to Network foundation > Private Link > Private endpoints.

  3. Select Create.

    Screenshot of the Network foundation Private endpoints page, showing the Create button.

  4. Select a subscription and an existing resource group, or create a new one.

  5. Enter a name and network interface name.

  6. Select a region.

  7. Select Next: Resource.

    Note

    Microsoft Security Private Link currently supports the containers sub-resource, which is used by the Defender for Containers plan.

  8. Select Connect to an Azure resource in my directory.

  9. Select a subscription.

  10. Select Microsoft.Security/privateLinks as the resource type.

  11. Select the Security Private Link resource for Defender for Cloud.

  12. Select containers as the target sub-resource.

  13. Select Next: Virtual Network.

  14. Select the virtual network and the subnet.

  15. Leave the private IP address allocation set to Dynamic.

  16. Select Next: DNS.

  17. Enable Integrate with private DNS zone and verify that the private DNS zone is populated automatically.

  18. Select Next: Tags.

  19. Add any required tags.

  20. Select Review + create.

  21. Select Create.

Approve the private endpoint connection

When the private endpoint is created, a connection request is sent to the Security Private Link resource.

  • If the requester is an Owner, the connection is approved automatically.

  • Otherwise, an Owner must approve the request from Private endpoint connections in the Azure portal.

Validate the private endpoint connection

From a workload connected to the virtual network, run:

nslookup api.cloud.defender.microsoft.com

The FQDN should resolve to a private IP address under privatelink.cloud.defender.microsoft.com.

Related content

  • Last updated on