CONTROLLED DATA
Leidos Proprietary - US Citizens ONLY
The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.

Overview


ECM Azure requires that deployed resources cannot be reached directly from the internet. To allow from communication to Azure resources securely, a private endpoint is required. This network interface uses a dynamic or statically assigned private IP address from the virtual network address range assigned to a customer's Azure environment. Note: Private Endpoints can share the same subnet or address range with most other azure resources.  The private endpoint allows LeidosNet resources, like a virtual machine, user workstations automation services to access the secured service.

Below is a list of ECM managed services that require private endpoints:

  • Azure Storage Accounts (Blob, file, queue, table)
  • Azure Key Vault
  • OpenAI Endpoints
  • SQL Databases
  • Azure Web Apps
  • Azure Function Apps
  • Azure Cosmos DB
  • Azure DB for Postgres SQL
  • Azure Kubernetes Service

Note:  Services not managed by ECM will also require a private endpoint for connectivity.


Creating a Private Endpoint from the Azure portal

  • Search for Private Endpoints in the portal
  • Click to enter the Private Link Center | Private endpoints page
  • Click "+ Create"
  • Basics

  • Resource
    • Connection method
      • Select "Connect to an Azure resource in my directory."
    • Select the appropriate resource for the Private Link connection.
    • Some resources may have a sub-resource. Review the resource list to confirm the sub resource to choose

      • The most current list can be found here - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource

        Private-link resource nameResource typeSub-resources
        Application GatewayMicrosoft.Network/applicationgatewaysFrontend IP Configuration name
        Azure AI SearchMicrosoft.Search/searchServicessearchService
        Azure AI servicesMicrosoft.CognitiveServices/accountsaccount
        Azure API for FHIR (Fast Healthcare Interoperability Resources)Microsoft.HealthcareApis/servicesfhir
        Azure API ManagementMicrosoft.ApiManagement/serviceGateway
        Azure App ConfigurationMicrosoft.Appconfiguration/configurationStoresconfigurationStores
        Azure App ServiceMicrosoft.Web/hostingEnvironmentshosting environment
        Azure App ServiceMicrosoft.Web/sitessites
        Azure Attestation ServiceMicrosoft.Attestation/attestationProvidersstandard
        Azure AutomationMicrosoft.Automation/automationAccountsWebhook, DSCAndHybridWorker
        Azure BackupMicrosoft.RecoveryServices/vaultsAzureBackup, AzureSiteRecovery
        Azure BatchMicrosoft.Batch/batchAccountsbatchAccount, nodeManagement
        Azure Cache for RedisMicrosoft.Cache/RedisredisCache
        Azure Cache for Redis EnterpriseMicrosoft.Cache/redisEnterpriseredisEnterprise
        Azure Container AppsMicrosoft.App/ManagedEnvironmentsmanagedEnvironment
        Azure Container RegistryMicrosoft.ContainerRegistry/registriesregistry
        Azure Cosmos DBMicrosoft.AzureCosmosDB/databaseAccountsSQL, MongoDB, Cassandra, Gremlin, Table
        Azure Cosmos DB for MongoDB vCoreMicrosoft.DocumentDb/mongoClustersmongoCluster
        Azure Cosmos DB for PostgreSQLMicrosoft.DBforPostgreSQL/serverGroupsv2coordinator
        Azure Data ExplorerMicrosoft.Kusto/clusterscluster
        Azure Data FactoryMicrosoft.DataFactory/factoriesdataFactory
        Azure Database for MariaDBMicrosoft.DBforMariaDB/serversmariadbServer
        Azure Database for MySQL - Flexible ServerMicrosoft.DBforMySQL/flexibleServersmysqlServer
        Azure Database for MySQL - Single ServerMicrosoft.DBforMySQL/serversmysqlServer
        Azure Database for PostgreSQL - Flexible serverMicrosoft.DBforPostgreSQL/flexibleServerspostgresqlServer
        Azure Database for PostgreSQL - Single serverMicrosoft.DBforPostgreSQL/serverspostgresqlServer
        Azure DatabricksMicrosoft.Databricks/workspacesdatabricks_ui_api, browser_authentication
        Azure Device Provisioning ServiceMicrosoft.Devices/provisioningServicesiotDps
        Azure Digital TwinsMicrosoft.DigitalTwins/digitalTwinsInstancesAPI
        Azure Event GridMicrosoft.EventGrid/domainsdomain
        Azure Event GridMicrosoft.EventGrid/topicstopic
        Azure Event HubMicrosoft.EventHub/namespacesnamespace
        Azure File SyncMicrosoft.StorageSync/storageSyncServicesFile Sync Service
        Azure HDInsightMicrosoft.HDInsight/clusterscluster
        Azure IoT CentralMicrosoft.IoTCentral/IoTAppsIoTApps
        Azure IoT HubMicrosoft.Devices/IotHubsiotHub
        Azure Key VaultMicrosoft.KeyVault/vaultsvault
        Azure Key Vault HSM (hardware security module)Microsoft.Keyvault/managedHSMsHSM
        Azure Kubernetes Service - Kubernetes APIMicrosoft.ContainerService/managedClustersmanagement
        Azure Machine LearningMicrosoft.MachineLearningServices/registriesamlregistry
        Azure Machine LearningMicrosoft.MachineLearningServices/workspacesamlworkspace
        Azure Managed DisksMicrosoft.Compute/diskAccessesmanaged disk
        Azure Media ServicesMicrosoft.Media/mediaserviceskeydelivery, liveevent, streamingendpoint
        Azure MigrateMicrosoft.Migrate/assessmentProjectsproject
        Azure Monitor Private Link ScopeMicrosoft.Insights/privatelinkscopesazuremonitor
        Azure RelayMicrosoft.Relay/namespacesnamespace
        Azure Service BusMicrosoft.ServiceBus/namespacesnamespace
        Azure SignalR ServiceMicrosoft.SignalRService/SignalRsignalr
        Azure SignalR ServiceMicrosoft.SignalRService/webPubSubwebpubsub
        Azure SQL DatabaseMicrosoft.Sql/serversSQL Server (sqlServer)
        Azure SQL Managed InstanceMicrosoft.Sql/managedInstancesmanagedInstance
        Azure Static Web AppsMicrosoft.Web/staticSitesstaticSites
        Azure StorageMicrosoft.Storage/storageAccountsBlob (blob, blob_secondary)
        Table (table, table_secondary)
        Queue (queue, queue_secondary)
        File (file, file_secondary)
        Web (web, web_secondary)
        Dfs (dfs, dfs_secondary)
        Azure SynapseMicrosoft.Synapse/privateLinkHubsweb
        Azure Synapse AnalyticsMicrosoft.Synapse/workspacesSql, SqlOnDemand, Dev
        Azure AI Video IndexerMicrosoft.VideoIndexer/accountsaccount
        Azure Virtual Desktop - host poolsMicrosoft.DesktopVirtualization/hostpoolsconnection
        Azure Virtual Desktop - workspacesMicrosoft.DesktopVirtualization/workspacesfeed
        global
        Device Update for IoT HubMicrosoft.DeviceUpdate/accountsDeviceUpdate
        Integration Account (Premium)Microsoft.Logic/integrationAccountsintegrationAccount
        Microsoft PurviewMicrosoft.Purview/accountsaccount
        Microsoft PurviewMicrosoft.Purview/accountsportal
        Power BIMicrosoft.PowerBI/privateLinkServicesForPowerBIPower BI
        Private Link service (your own service)Microsoft.Network/privateLinkServicesempty
        Resource Management Private LinksMicrosoft.Authorization/resourceManagementPrivateLinksResourceManagement


  • Virtual Network
    • Networking
      • Select the Virtual Network and subnet to be used by the Endpoint and Service
    • Private IP Configuration
      • Selecting "Dynamically allocate IP address" will assign an Ip address from the chosen subnet at random
      • Selecting "Statically allocate IP address" will allow you to assign a specific address from the chosen subnet if required
    • Private DNS integration
      • Integrate with private DNS zone select "No" (Follow the instructions later in this article for creating the required DNS records)

  • Tags
    • Tags should be inherited from the Subscription
  • Review + Create


Azure DNS Record Creation

Once the private endpoint has been created, you can create the required DNS records for resolution of the resource in Azure. 

  • Navigate the private endpoint resource you created
  • Under Settings, select DNS configuration
  • On the DNS configuration page, select add configuration
  • Select Add
  • The DNS configuration will be added to your private endpoint and will allow for DNS resolution in Azure


Leidos DNS Record Creation

If your resource requires resolution outside of Azure, an additional DNS record needs to be created in the Leidos DNS management system. Follow the steps below to request this record creation. Note: Please contact the ECM team if you need to integrate DNS record creation with a CI/CD pipeline. 

  • Navigate to the Leidos Corporate DNS and IP Management Form
  • Is this request for you or for someone else?
    • Myself
  • Request Details
    • Request a DNS Record addition, modification, or deletion
  • Urgency
    • Choose the correct priority for your request
  • Select your environment
    • Search for your ENV number from the list provided
    • Check the box - I certify the environment selected is owned by myself or my team and is related to this record.
  • Select the DNS zone preferred for these changes:
    • Select Internal-only (Private DNS, only accessible while on the Leidos Network)
  • Select the record type(s) that need to be added or modified:
    • Check to box for Host record (example.leidos.com points to 10.1.1.1)
      • Enter FQDN (Fully Qualified Doman Name) of your Azure Resource then the IP address (Example: oai-ecmg-dev-01.privatelink.openai.azure.us 10.107.15.20)
        • You can find the FQDN and Ip Address for your resource on the DNS configuration page of the private endpoint for your resource.
    • Note: You can enter multiple records on same form if required.  
  • Select Submit 




  • No labels



The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
CONTROLLED DATA