Last Updated: 2024-03-19


Azure Private Link is a Microsoft Azure service that enables you to securely connect your Azure Virtual Network to Azure Platform as a Service (PaaS) resources, Azure Virtual Machine (VM) instances, and Azure Kubernetes Service (AKS) clusters. This approach provides a secure way to access these services over a private endpoint located inside your virtual network, eliminating the need to expose connections to the public internet.

Starburst Galaxy extends support for Azure Private Link across specific catalogs. This tutorial will guide you through configuring Private Link for a database hosted on a VM.

Scope of tutorial

In this tutorial, you will learn how to configure Azure Private Link for a database hosted on a VM.

This tutorial has been tested successfully with the following environments:

Learning objectives

Once you've completed this tutorial, you will be able to:


About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.


If you are configuring Private Link for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.

Contacting your technical resource

To be assigned this resource, you should reach out to your regular Starburst account team for assistance.

Working together

Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.

Please review the following overview of this process before beginning the tutorial.

Your responsibilities:

For each VM hosting a database, you will need to:


Understanding the Azure Private Link architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.

This tutorial also follows a corresponding Azure quickstart on the same topic. It is recommended that you consult this documentation if you want to learn more about Azure Private Link.

Reference architecture

The following diagram illustrates a connection between a Private Link service running in a customer's Vnet and the private endpoint running in the Starburst Galaxy Vnet.

Review the diagram to ensure that you understand the architecture that you will create in this tutorial.


A load balancer is required as part of the Private Link configuration. In this section, you'll determine if your virtual machine has a load balancer.

This is a quick but important step.

Step 1: Sign in to Azure portal

You're going to start by signing in to the Azure portal. Remember to sign in to the account containing the virtual machine that you would like to connect using Private Link.

If you use multiple Azure accounts, ensure that you pick the correct one.

Step 2: Select virtual machine

Now it's time to find the correct virtual machine.

Depending on your workflow, you might have multiple virtual machines in the same Azure account. Make sure that you select the correct one.

Step 3: Check for load balancer

Now it's time to check whether your VM already has a load balancer. If it does not have one, you will have to create one later in this tutorial.


Now it's time to create an internal load balancer for your virtual machine. In Azure, an internal load balancer balances traffic between VMs inside an Azure virtual network, ensuring availability and reliability for internal applications.

Step 1: Start load balancer wizard

Azure has simplified the process of creating a load balancer by providing a wizard.

Step 2: Select load balancer type

It's time to begin configuring your load balancer, starting with the name, type, and protocol.

Step 3: Configure load balancer rule

It's time to specify the frontend and backend port numbers for your load balancer. The frontend port is for connections from the client to the load balancer, while the backend port is for connections from the load balancer to the back-end instance.

Example: An Oracle database uses port 1521, as shown in the image below.

Example: Once again, the Oracle database is listening on the default port 1521.

Step 4: Wait for load balancer

The load balancer is now being created. As part of this process, you'll see the status change from Creating load balancer to Adding load balancer.

Step 5: Review load balancer settings

It's important to understand the different settings available for your load balancer. Take some time to review the information provided below.

Frontend IP configuration: This is the IP address of the load balancer.

Backend pools: This is the VM hosting your database and its IP address.

Health probes: The probe is used by the load balancer to ensure the IP and port of the VM and database are available.

Load balancing rules: This is the port on which the load balancer is listening.


Now that your load balancer is ready to go, it's time to create a Private Link service.

An Azure Private Link Service creates a mapping between the service and a private endpoint in your virtual network. This private endpoint is assigned an IP address from your virtual network's subnet, and it acts as a proxy for the service you're accessing. Requests sent to the service's private IP address are routed through the private endpoint to the service.

Step 1: Start Private Link Service wizard

As with load balancers, Azure provides a wizard to simplify the process of creating a Private Link service.

Step 2: Configure basic details

It's time to add some basic details for your Private Link service, starting with Project details and Instance details.

Step 3: Configure Outbound settings

Now it's time to configure the outbound settings for your Private Link service. This includes selecting the load balancer, virtual network, and subnets. Private IP addresses will be allocated from the subnet you choose.

Step 4: Complete private link service wizard

You've added all the required details for the private link service. Now you can complete the wizard.


Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.

Step 1: Record private link service alias

It's time to record the alias of your private link service. Starburst support will need this to create a private endpoint in the Starburst Galaxy Vnet.

Step 2: Open support ticket

You are going to use the automated assistant in Starburst Galaxy to open a support ticket and provide support with the Alias that you just copied. You will also need to provide your preferred Starburst Galaxy Private Link configuration name.

Step 3: Accept connection

Once Starburst support has created the private endpoint, you will see the connection listed as Pending.

Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

You're all set! Now you can use Private Link to configure access to a database running on a virtual machine.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!

Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.