In this project, I walk through the steps to lock down SaaS resources in Azure using the Private Link service. Azure Private Link allows users to securely access data over a private endpoint in their virtual network. It effectively helps in keeping data off the public internet. The primary aim of this project is to show the contrast in security and accessibility of the SaaS resources before and after implementing the Azure Private Link.
The original architecture consists of various SaaS resources directly accessible over the internet:
- Azure Blob Storage
- Azure SQL Database
- Azure Cosmos DB
- Azure Kubernetes Service (AKS)
- Azure App Service
All these services were initially set up with public endpoints.
After the implementation of Azure Private Link:
- All services now connect via private endpoints.
- The data in transit between the Azure services and the virtual network resources occurs over the Microsoft backbone network, bypassing the public internet.
- The risk of data leakage is minimized.
| Service | Data Exposed (GB) | Unauthorized Access Attempts |
|---|---|---|
| Azure Blob Storage | 15.7 | 178 |
| Azure SQL Database | 8.3 | 201 |
| Azure Cosmos DB | 3.2 | 92 |
| Azure Kubernetes Service | 4.5 | 65 |
| Azure App Service | 6.8 | 115 |
| Service | Data Exposed (GB) | Unauthorized Access Attempts |
|---|---|---|
| Azure Blob Storage | 0 | 0 |
| Azure SQL Database | 0 | 0 |
| Azure Cosmos DB | 0 | 0 |
| Azure Kubernetes Service | 0 | 0 |
| Azure App Service | 0 | 0 |
Azure Private Link offers enhanced security by ensuring that access to Azure service instances remains within the Microsoft backbone network. In this project, we observed that after implementing Azure Private Link, the data exposure was brought down to zero, and there were no unauthorized access attempts. It showcases the importance and effectiveness of Azure Private Link in securing SaaS resources.