How to: Set up Azure Private Link

Overview

As sensitive data travels from Azure to Unqork, it’s important to keep that data secure. Using Azure Private Link ensures your traffic isn't exposed to the public internet. Azure Private Link connects two Virtual Networks (VNets) in different Azure accounts. The first is a VNet in your Azure account. And the second is the dedicated VNet where your Unqork environment lives.

If your Azure resources are connected to on-premises networks, the Unqork services can also reach services in your data center. Similarly, Unqork services can reach services in your other VNets if your VNets are peered.

You can think of Azure Private Link as a secure tunnel. It keeps your traffic safe without traversing the public internet. Typically, services communicate by traveling the internet from one public endpoint to another. With Azure Private Link, communication travels between your endpoint service to a VNet endpoint. This happens in your hosted Unqork environment. The endpoint service using Private Link works with a network load balancer (NLB). The endpoint service and NLB act as Unqork's entry point to your infrastructure. You don’t need to use any special hardware or software to make this happen since you create the VNet endpoint in Azure.

What You'll Learn

In this how-to guide, you’ll learn what Azure Private Link is, and how to setup and connect it to Unqork.

How Azure Private Link Works with Unqork

Unqork acts as the "service consumer." And your endpoint service acts as the "service owner." Unqork initiates the connection to a resource in your cloud account. After initiating the connection, the service provider can respond to requests from Unqork. You'll need to generate the private domain using Unqork. Then, you'll make an external service integration. Lastly, you'll use a Plug-In as with other external APIs. In Azure, in your VNet (in the same region as your Unqork environment) you’ll set up the endpoint service. That endpoint service is then configured to forward traffic to the NLB.

How to Set Up Azure Private Link

To set up Azure Private Link, you'll first need to configure settings in Azure. Then, you’ll set up a Plug-In component in Unqork and connect to the service.

What You Need

In your Azure account, you need:

  • IAM role privileges to create and manage VNets, endpoints, and endpoint services.

  • A VNet in the same region as the Unqork environment.

  • VNet subnets where the target resources reside.

  • An endpoint service (the "Private Link").

  • The endpoint service name from Azure.

In Unqork, you need:

  • 1 Initializer component

  • 1 Plug-In component

Create an Azure Private Link (In Azure)

First, you'll set everything up on the Azure side.

Create the VNet, NAT Gateway, load balancer, the Private Link Service, and the Private Endpoint

Let's set up your VNet, NAT gateway, load balancer, the Private Link Service, and the private endpoint.

1. In the Azure portal, select or create a VNet.
2. Configure the VNet to include subnet(s) in each Azure subscription.
3. Select or create the NAT gateway.
4. Select or create an Azure Virtual Machine (VM).

The VM must be in the same region as the VNet. The VM must be on the same network as the VNet and the subnet(s).

5. Select or create a load balancer.
6. Create the Private Link service.
7. Create the private endpoint.

Copy the Azure Endpoint Service Name

Next, copy the Azure endpoint service name that you created. You'll need this to set up the Azure Private Link connection.

The endpoint service configuration makes the Private Link in Azure.

1. In Azure, go to the Overview tab.
2. Select the endpoint service that you created in the Create the VNet, NAT Gateway, NLB, the Private Link Service, and the Private Endpoint section.
3. Copy the Alias. This endpoint service acts as the Azure Private Link to the Unqork environment. You'll enter this service name in Unqork, in PrivateLink Administration.

Connecting to Azure Private Link from Unqork

Now you’re ready to start connecting Unqork to Azure Private Link. There are four steps:

1. Add your Azure Private Link Service under PrivateLink Administration.
2. Finalize the Private Link Connection in Azure.
3. Create an Azure Private Link service in Services Administration.
4. Configure a Plug-In to call your Azure Private Link service.

Adding an Azure Private Link Service in PrivateLink Administration (In Unqork) 

Here you'll create the Azure Private Link service in Unqork. Your Unqork application connects to your Azure resource with Azure Private Link.

1. Click the Settings drop-down in the top right of the Unqork Designer Platform.
2. Click Administration.
3. Select PrivateLink Administration under Integration.
4. Click Add PrivateLink. The Add PrivateLink window displays.

5. In the PrivateLink Friendly Name field, type a name for your Private Link, for example, myPrivateLinkService.
6. In the PrivateLink Service Name field, enter the alias you copied in the Copy the Azure Endpoint Service Name section.
7. In the PrivateLink Internal Name field, type a name for your internal domain, for example, my.private.link.
8. Click Add PrivateLink.

Finalizing the Azure Private Link Connection in Azure

You've set up the Azure Private Link Connection in Azure and Unqork. Now you’ll complete a couple more steps so the connection can transfer traffic.

1. In the Azure portal, in the Private link service section, click Private Endpoint Connections.
2. Next to the request you've just made through Unqork, select the checkbox, then click Approve.

Creating a Service Using Azure Private Link in Services Administration

The Azure Private Link configuration makes a connection. But, you still need to reach the target resource or service. To do this, you’ll create a new integration under Services Administration.

1. Click the Settings drop-down in the top right of the Unqork Designer Platform.
2. Click Administration.
3. Select Services Administration, under Integration.
4. Enter a title for your service in the Service Title field. For example, myprivateapi.
5. Enter a name for your service in the Service Name field. For example, my-private-api.
6. Enter the DNS name in the Service protocol + host field. This is the URL under Private Link DNS Name in PrivateLink Administration you entered in the Adding an Azure Private Link Service in PrivateLink Administration section. For example, my.private.link.
7. Click Add Service.
8. Click Check Status to confirm the service is reachable via the Azure Private Link connection.

Configuring a Plug-In to Call your Azure Private Link Service

Next, let’s look at how to use a Plug-In component to call your Azure Private Link Service. Here, you’ll have your Plug-In make an external API call. You’ll also set up an Initializer to trigger the Plug-In component.

How you choose to execute the Plug-In depends on your use case’s needs. Common approaches include:

  • Using a Button component to trigger the Plug-In on button-click.

  • Using an Initializer component to trigger the Plug-In on page-load. This is a common option when using a remote execute to trigger an API module.

What You'll Need

For this configuration, you’ll need:

  • 1 Initializer component

  • 1 Plug-In component

Configure the Initializer Component

This Initializer component triggers the Plug-In component that you'll set up next.

1. Drag and drop an Initializer component onto your canvas.
2. Enter a Property ID and Canvas Label Text for your Initializer.
3. Select a Trigger Type.

The appropriate Trigger Type varies based on your use case needs. To trigger the Initializer on page-load, select New Submission or Edit Submission. New Submission triggers on page-load when no submission is present. Edit Submission triggers on page-load when a submission is present.

4. Complete the Outputs table as follows, using your Plug-In component's Property ID.
Property ID Type Value

{your Plug-In's Property ID}

Trigger

GO
5. Click Save.

Configure the Plug-In Component

Now, you'll add a Plug-In component. This Plug-In makes the external API call that runs your Azure Private Link service.

1. On your canvas, drag and drop a Plug-In component.
2. Enter a Property ID and Canvas Label Text for your Plug-In.
3. Leave the Trigger Type set to Manual.
4. Complete the Inputs table.

Your Inputs table is based on your Azure resource.

To learn more about configuring a Plug-In component’s Inputs table, search Plug-In Component in our In-Product Help.

5. Select External from the Service Type option.
6. Select your Azure Private Link service from the External Services drop-down.
7. Select a Request Type.

The Request Type is based on the action you're performing.

8. Complete the Data Source URL value based on the Azure resource.
9. Click Save.

To learn more about configuring an external API call, search External APIs in our In-Product Help.

Great! You've now successfully created an Azure Private Link connection between Unqork and your Azure resource.

Resources