Configure Azure Private Link for a database running on a VM

1. Tutorial overview

Last Updated: 2024-03-19

Background

Azure Private Link is a Microsoft Azure service that enables you to securely connect your Azure Virtual Network to Azure Platform as a Service (PaaS) resources, Azure Virtual Machine (VM) instances, and Azure Kubernetes Service (AKS) clusters. This approach provides a secure way to access these services over a private endpoint located inside your virtual network, eliminating the need to expose connections to the public internet.

Starburst Galaxy extends support for Azure Private Link across specific catalogs. This tutorial will guide you through configuring Private Link for a database hosted on a VM.

Scope of tutorial

In this tutorial, you will learn how to configure Azure Private Link for a database hosted on a VM.

This tutorial has been tested successfully with the following environments:

• A VM hosting Oracle.
• A VM hosting PostgreSQL.
• A VM hosting MySQL.
• Azure's SQL virtual machines.

Learning objectives

Once you've completed this tutorial, you will be able to:

• Configure Azure Private Link for connectivity from Starburst Galaxy to a database running on a VM.
• Use Private Link to securely connect Starburst Galaxy to your database running on a VM.

Prerequisites

• You need a Starburst Galaxy account to complete this tutorial. Please see Starburst Galaxy: Getting started for instructions on setting up a free account.
• This tutorial comes with a bring your own storage requirement. Before proceeding with this tutorial, you must already have a virtual machine hosting a database.
• If your data source is configured with an internal firewall for access control, you will need to create an inbound rule for the Starburst Galaxy CIDR 10.0.0.0/8.

About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.

2. Working with a Starburst technical resource

Background

If you are configuring Private Link for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.

Contacting your technical resource

To be assigned this resource, you should reach out to your regular Starburst account team for assistance.

Working together

Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.

Please review the following overview of this process before beginning the tutorial.

Your responsibilities:

For each VM hosting a database, you will need to:

• Create a load balancer if your VM doesn't already have one.
• Create a Private Link service.
• Submit a Starburst Galaxy support ticket to provide the Private Link service alias to the Starburst technical support team.
• The Starburst support team will create a private endpoint.
• Accept the endpoint connection.

3. Azure Private Link architecture

Background

Understanding the Azure Private Link architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.

This tutorial also follows a corresponding Azure quickstart on the same topic. It is recommended that you consult this documentation if you want to learn more about Azure Private Link.

Reference architecture

The following diagram illustrates a connection between a Private Link service running in a customer's Vnet and the private endpoint running in the Starburst Galaxy Vnet.

Review the diagram to ensure that you understand the architecture that you will create in this tutorial.

4. Check for load balancer

Background

A load balancer is required as part of the Private Link configuration. In this section, you'll determine if your virtual machine has a load balancer.

This is a quick but important step.

Step 1: Sign in to Azure portal

You're going to start by signing in to the Azure portal. Remember to sign in to the account containing the virtual machine that you would like to connect using Private Link.

If you use multiple Azure accounts, ensure that you pick the correct one.

• Sign in to your Azure account.

Step 2: Select virtual machine

Now it's time to find the correct virtual machine.

Depending on your workflow, you might have multiple virtual machines in the same Azure account. Make sure that you select the correct one.

• Using the search bar at the top of the screen, search for virtual machines.
• Select Virtual machines from the list of results.
• Using the filter bar, type the name of your virtual machine.
• Select your virtual machine from the filtered list.

Step 3: Check for load balancer

Now it's time to check whether your VM already has a load balancer. If it does not have one, you will have to create one later in this tutorial.

• Using the left-hand navigation menu, select Load balancing.
• If you see the message "No load balancing resources to display" then you do not have a load balancer.
  
  In this case, move to the next section to create a load balancer.
• If a load balancer is listed and you would like to use it for the Private Link connection, skip the next section in this tutorial.

5. Create a load balancer

Background

Now it's time to create an internal load balancer for your virtual machine. In Azure, an internal load balancer balances traffic between VMs inside an Azure virtual network, ensuring availability and reliability for internal applications.

Step 1: Start load balancer wizard

Azure has simplified the process of creating a load balancer by providing a wizard.

• Expand the Add load balancing drop-down menu.
• Select Create new.
• Select Load Balancer.

Step 2: Select load balancer type

It's time to begin configuring your load balancer, starting with the name, type, and protocol.

• Enter your Load balancer name in the field provided.
• In the Type section, select Internal.
• In the Protocol section, select TCP.

Step 3: Configure load balancer rule

It's time to specify the frontend and backend port numbers for your load balancer. The frontend port is for connections from the client to the load balancer, while the backend port is for connections from the load balancer to the back-end instance.

• In the Port field, enter the frontend port number.

Example: An Oracle database uses port 1521, as shown in the image below.

• In the Backend port field, enter the backend port.

Example: Once again, the Oracle database is listening on the default port 1521.

• Click the Create button.

Step 4: Wait for load balancer

The load balancer is now being created. As part of this process, you'll see the status change from Creating load balancer to Adding load balancer.

• Monitor the load balancer status in the Azure portal, waiting until all tasks are completed. This usually takes a few minutes.

Step 5: Review load balancer settings

It's important to understand the different settings available for your load balancer. Take some time to review the information provided below.

• Select your load balancer.
• On the left-hand navigation bar, review the Settings menu options.

Frontend IP configuration: This is the IP address of the load balancer.

Backend pools: This is the VM hosting your database and its IP address.

Health probes: The probe is used by the load balancer to ensure the IP and port of the VM and database are available.

Load balancing rules: This is the port on which the load balancer is listening.

6. Create Azure Private Link service

Background

Now that your load balancer is ready to go, it's time to create a Private Link service.

An Azure Private Link Service creates a mapping between the service and a private endpoint in your virtual network. This private endpoint is assigned an IP address from your virtual network's subnet, and it acts as a proxy for the service you're accessing. Requests sent to the service's private IP address are routed through the private endpoint to the service.

Step 1: Start Private Link Service wizard

As with load balancers, Azure provides a wizard to simplify the process of creating a Private Link service.

• Using the search bar, search for Private Link Services.
• Select Private Link Services from the list of results.
• Click the + Create button.

Step 2: Configure basic details

It's time to add some basic details for your Private Link service, starting with Project details and Instance details.

• Expand the Subscription drop-down menu and select the subscription that you would like to use.
• Expand the Resource group drop-down menu and select a resource group for the Private Link service. It is considered best practice to use your VM resource group.
• In the Name field, enter a meaningful name.
• Expand the Region drop-down menu, and select the region for your load balancer and VM.
• Click the Next button.

Step 3: Configure Outbound settings

Now it's time to configure the outbound settings for your Private Link service. This includes selecting the load balancer, virtual network, and subnets. Private IP addresses will be allocated from the subnet you choose.

• Expand the Load balancer drop-down menu and select your load balancer.
• Expand the Load balancer frontend IP address drop-down menu and select the IP address of the load balancer.
• Expand the Source NAT subnet drop-down menu and select a subnet that can route to the load balancer.
  
  Note: If you want, you can choose the same subnet that the load balancer is using.
• Leave all other settings unchanged.
• Click the Next: Access security button.

Step 4: Complete private link service wizard

You've added all the required details for the private link service. Now you can complete the wizard.

• Bypass the Access security and Tags screens by clicking the Next buttons.
• Click the Create button.
• Wait for the deployment to complete before moving to the next section.

7. Submit Starburst Galaxy support ticket

Background

Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.

Step 1: Record private link service alias

It's time to record the alias of your private link service. Starburst support will need this to create a private endpoint in the Starburst Galaxy Vnet.

• Click the Go to resource button.
• Copy the Alias.

Step 2: Open support ticket

You are going to use the automated assistant in Starburst Galaxy to open a support ticket and provide support with the Alias that you just copied. You will also need to provide your preferred Starburst Galaxy Private Link configuration name.

• Log in to Starburst Galaxy.
• Click the support icon located at the bottom right of the screen.
• Select Chat with technical support.
• Select Submit a Support Ticket.
• The automated assistant will ask you to provide your email address, first name, and last name.
• When you receive the prompt to describe your issue, note that you would like support to create a private endpoint in the Starburst Galaxy Vnet for you. Be sure to include the Alias you copied and your preferred Starburst Galaxy Private Link connection name.

• Wait for Starburst support to confirm that they have created the Endpoint in Starburst Galaxy. This should take no longer than 24 - 48 hours.

Step 3: Accept connection

Once Starburst support has created the private endpoint, you will see the connection listed as Pending.

• Click the Refresh button if the connection does not appear after Starburst support confirms that they have created the endpoint.
• Select the new connection.
• Click the Approve button.
• In the Description field, provide a meaningful description.
• Click the Yes button.
• Wait for the Connection state for the endpoint to change to Approved.
  
  Note: Click Refresh if necessary.

8. Tutorial wrap-up

Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

You're all set! Now you can use Private Link to configure access to a database running on a virtual machine.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!