Configure Private Endpoint network access to Azure Health Data Services de-identification service (preview)
Azure Private Link enables you to access Azure services over a private endpoint in your virtual network.
A private endpoint is a network interface that connects you privately and securely to an Azure service which supports Azure Private Link. The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. All traffic to the service is routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses the Microsoft backbone network, eliminating exposure from the public Internet. You can restrict connections to specific instances of an Azure service, giving you the highest level of granularity in access control.
For more information, see What is Azure Private Link?
Add a private endpoint using the Azure portal
Prerequisites
Important
Before enabling Private Endpoint access to your de-identification service (preview), you will need to create a support request to request access to this feature for your subscription. Create the request under Azure Health Data Services > General question > De-identification service > Configuration and management
- A de-identification service in your Azure subscription. If you don't have a de-identification service, follow the steps in Quickstart: Deploy the de-identification service.
- Owner or contributor permissions for the de-identification service.
Create a private endpoint
Follow the steps at Quickstart: Create a private endpoint by using the Azure portal.
- Instead of a webapp, create a private endpoint to a de-identification service (preview).
- When you reach Create a private endpoint, step 5, enter resource type Microsoft.HealthDataAIServices/deidServices.
- Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it automatically filters virtual networks that are in that region. Your de-identification service can be in a different region.
- When you reach Test connectivity to the private endpoint steps 8 and 10, use the service URL of your de-identification service plus the
/healthpath.
Configure private access
Important
Creating a private endpoint does not restrict public network access automatically.
When creating a de-identification service (preview), you can either allow public only (from all networks) or private only (only via private endpoints) access to the de-identification service.
If you already have a de-identification service, you can configure network access by going to the service's Azure portal Networking page, and under Public network access, selecting Disabled.
Manage private endpoints using Azure portal
When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory, you can approve the connection request provided you have sufficient permissions. If you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request.
There are four provisioning states:
| Service action | Service consumer private endpoint state | Description |
|---|---|---|
| None | Pending | Connection is created manually and is pending approval from the target resource owner. |
| Approve | Approved | Connection was automatically or manually approved and is ready to be used. |
| Reject | Rejected | The target resource owner rejected the connection. |
| Remove | Disconnected | The target resource owner removed the connection. The private endpoint should be deleted for cleanup. |
Approve, reject, or remove a private endpoint connection
- Sign in to the Azure portal.
- In the search bar, type in de-id.
- Select the de-identification service that you want to manage.
- Select the Networking tab.
- Go to the appropriate following section based on the operation you want to: approve, reject, or remove.
Approve a private endpoint connection
- If there are any connections that are pending, you see a connection listed with Pending in the provisioning state.
- Select the private endpoint you wish to approve
- Select the Approve button.
- On the Approve connection page, add a comment (optional), and select Yes. If you select No, nothing happens.
- You should see the status of the private endpoint connection in the list changed to Approved.
Reject a private endpoint connection
- If there are any private endpoint connections you want to reject, whether it's a pending request or existing connection, select the connection and select the Reject button.
- On the Reject connection page, enter a comment (optional), and select Yes. If you select No, nothing happens.
- You should see the status of the private endpoint connection in the list changed to Rejected.
Remove a private endpoint connection
- To remove a private endpoint connection, select it in the list, and select Remove on the toolbar.
- On the Delete connection page, select Yes to confirm the deletion of the private endpoint. If you select No, nothing happens.
- You should see the status changed to Disconnected. Then, the endpoint disappears from the list.
Limitations and design considerations
- For pricing information, see Azure Private Link pricing.
- This feature is available in all Azure public regions.
- Because network traffic is blocked at the application layer, you can still ping the public endpoint of your service even though public network access is disabled.
For more, see Azure Private Link service: Limitations
Related content
- Learn more about Azure Private Link