Last Updated: 2024-03-19
Background
Azure Private Link is a Microsoft Azure service that enables you to securely connect your Azure Virtual Network to Azure Platform as a Service (PaaS) resources, Azure Virtual Machine (VM) instances, and Azure Kubernetes Service (AKS) clusters. This approach provides a secure way to access these services over a private endpoint located inside your virtual network, eliminating the need to expose connections to the public internet.
Starburst Galaxy extends support for Azure Private Link across specific catalogs. This tutorial will guide you through configuring Private Link for a database hosted on a VM.
Scope of tutorial
In this tutorial, you will learn how to configure Azure Private Link for a database hosted on a VM.
This tutorial has been tested successfully with the following environments:
- A VM hosting Oracle.
- A VM hosting PostgreSQL.
- A VM hosting MySQL.
- Azure's SQL virtual machines.
Learning objectives
Once you've completed this tutorial, you will be able to:
- Configure Azure Private Link for connectivity from Starburst Galaxy to a database running on a VM.
- Use Private Link to securely connect Starburst Galaxy to your database running on a VM.
Prerequisites
- You need a Starburst Galaxy account to complete this tutorial. Please see Starburst Galaxy: Getting started for instructions on setting up a free account.
- This tutorial comes with a bring your own storage requirement. Before proceeding with this tutorial, you must already have a virtual machine hosting a database.
- If your data source is configured with an internal firewall for access control, you will need to create an inbound rule for the Starburst Galaxy CIDR
10.0.0.0/8.
About Starburst tutorials
Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.
Background
If you are configuring Private Link for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.
Contacting your technical resource
To be assigned this resource, you should reach out to your regular Starburst account team for assistance.
Working together
Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.
Please review the following overview of this process before beginning the tutorial.
Your responsibilities:
For each VM hosting a database, you will need to:
- Create a load balancer if your VM doesn't already have one.
- Create a Private Link service.
- Submit a Starburst Galaxy support ticket to provide the Private Link service alias to the Starburst technical support team.
- The Starburst support team will create a private endpoint.
- Accept the endpoint connection.
Background
Understanding the Azure Private Link architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.
This tutorial also follows a corresponding Azure quickstart on the same topic. It is recommended that you consult this documentation if you want to learn more about Azure Private Link.
Reference architecture
The following diagram illustrates a connection between a Private Link service running in a customer's Vnet and the private endpoint running in the Starburst Galaxy Vnet.
Review the diagram to ensure that you understand the architecture that you will create in this tutorial.
Background
A load balancer is required as part of the Private Link configuration. In this section, you'll determine if your virtual machine has a load balancer.
This is a quick but important step.
Step 1: Sign in to Azure portal
You're going to start by signing in to the Azure portal. Remember to sign in to the account containing the virtual machine that you would like to connect using Private Link.
If you use multiple Azure accounts, ensure that you pick the correct one.
- Sign in to your Azure account.
Step 2: Select virtual machine
Now it's time to find the correct virtual machine.
Depending on your workflow, you might have multiple virtual machines in the same Azure account. Make sure that you select the correct one.
- Using the search bar at the top of the screen, search for virtual machines.
- Select Virtual machines from the list of results.
- Using the filter bar, type the name of your virtual machine.
- Select your virtual machine from the filtered list.
Step 3: Check for load balancer
Now it's time to check whether your VM already has a load balancer. If it does not have one, you will have to create one later in this tutorial.
- Using the left-hand navigation menu, select Load balancing.
- If you see the message "No load balancing resources to display" then you do not have a load balancer.
In this case, move to the next section to create a load balancer. - If a load balancer is listed and you would like to use it for the Private Link connection, skip the next section in this tutorial.
Background
Now it's time to create an internal load balancer for your virtual machine. In Azure, an internal load balancer balances traffic between VMs inside an Azure virtual network, ensuring availability and reliability for internal applications.
Step 1: Start load balancer wizard
Azure has simplified the process of creating a load balancer by providing a wizard.
- Expand the Add load balancing drop-down menu.
- Select Create new.
- Select Load Balancer.
Step 2: Select load balancer type
It's time to begin configuring your load balancer, starting with the name, type, and protocol.
- Enter your Load balancer name in the field provided.
- In the Type section, select Internal.
- In the Protocol section, select TCP.
Step 3: Configure load balancer rule
It's time to specify the frontend and backend port numbers for your load balancer. The frontend port is for connections from the client to the load balancer, while the backend port is for connections from the load balancer to the back-end instance.
- In the Port field, enter the frontend port number.
Example: An Oracle database uses port 1521, as shown in the image below.
- In the Backend port field, enter the backend port.
Example: Once again, the Oracle database is listening on the default port 1521.
- Click the Create button.
Step 4: Wait for load balancer
The load balancer is now being created. As part of this process, you'll see the status change from Creating load balancer to Adding load balancer.
- Monitor the load balancer status in the Azure portal, waiting until all tasks are completed. This usually takes a few minutes.
Step 5: Review load balancer settings
It's important to understand the different settings available for your load balancer. Take some time to review the information provided below.
- Select your load balancer.
- On the left-hand navigation bar, review the Settings menu options.
Frontend IP configuration: This is the IP address of the load balancer.
Backend pools: This is the VM hosting your database and its IP address.
Health probes: The probe is used by the load balancer to ensure the IP and port of the VM and database are available.
Load balancing rules: This is the port on which the load balancer is listening.
Background
Now that your load balancer is ready to go, it's time to create a Private Link service.
An Azure Private Link Service creates a mapping between the service and a private endpoint in your virtual network. This private endpoint is assigned an IP address from your virtual network's subnet, and it acts as a proxy for the service you're accessing. Requests sent to the service's private IP address are routed through the private endpoint to the service.
Step 1: Start Private Link Service wizard
As with load balancers, Azure provides a wizard to simplify the process of creating a Private Link service.
- Using the search bar, search for Private Link Services.
- Select Private Link Services from the list of results.
- Click the + Create button.
Step 2: Configure basic details
It's time to add some basic details for your Private Link service, starting with Project details and Instance details.
- Expand the Subscription drop-down menu and select the subscription that you would like to use.
- Expand the Resource group drop-down menu and select a resource group for the Private Link service. It is considered best practice to use your VM resource group.
- In the Name field, enter a meaningful name.
- Expand the Region drop-down menu, and select the region for your load balancer and VM.
- Click the Next button.
Step 3: Configure Outbound settings
Now it's time to configure the outbound settings for your Private Link service. This includes selecting the load balancer, virtual network, and subnets. Private IP addresses will be allocated from the subnet you choose.
- Expand the Load balancer drop-down menu and select your load balancer.
- Expand the Load balancer frontend IP address drop-down menu and select the IP address of the load balancer.
- Expand the Source NAT subnet drop-down menu and select a subnet that can route to the load balancer.
Note: If you want, you can choose the same subnet that the load balancer is using. - Leave all other settings unchanged.
- Click the Next: Access security button.
Step 4: Complete private link service wizard
You've added all the required details for the private link service. Now you can complete the wizard.
- Bypass the Access security and Tags screens by clicking the Next buttons.
- Click the Create button.
- Wait for the deployment to complete before moving to the next section.
Background
Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.
Step 1: Record private link service alias
It's time to record the alias of your private link service. Starburst support will need this to create a private endpoint in the Starburst Galaxy Vnet.
- Click the Go to resource button.
- Copy the Alias.
Step 2: Open support ticket
You are going to use the automated assistant in Starburst Galaxy to open a support ticket and provide support with the Alias that you just copied. You will also need to provide your preferred Starburst Galaxy Private Link configuration name.
- Log in to Starburst Galaxy.
- Click the support icon located at the bottom right of the screen.
- Select Chat with technical support.
- Select Submit a Support Ticket.
- The automated assistant will ask you to provide your email address, first name, and last name.
- When you receive the prompt to describe your issue, note that you would like support to create a private endpoint in the Starburst Galaxy Vnet for you. Be sure to include the Alias you copied and your preferred Starburst Galaxy Private Link connection name.
- Wait for Starburst support to confirm that they have created the Endpoint in Starburst Galaxy. This should take no longer than 24 - 48 hours.
Step 3: Accept connection
Once Starburst support has created the private endpoint, you will see the connection listed as Pending.
- Click the Refresh button if the connection does not appear after Starburst support confirms that they have created the endpoint.
- Select the new connection.
- Click the Approve button.
- In the Description field, provide a meaningful description.
- Click the Yes button.
- Wait for the Connection state for the endpoint to change to Approved.
Note: Click Refresh if necessary.
Tutorial complete
Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.
You're all set! Now you can use Private Link to configure access to a database running on a virtual machine.
Continuous learning
At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.
Next steps
Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.
Tutorials available
Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!
