View Source

Overview

ECM Azure requires that deployed resources cannot be reached directly from the internet. To allow from communication to Azure resources securely, a private endpoint is required. This network interface uses a dynamic or statically assigned private IP address from the virtual network address range assigned to a customer's Azure environment. Note: Private Endpoints can share the same subnet or address range with most other azure resources. The private endpoint allows LeidosNet resources, like a virtual machine, user workstations automation services to access the secured service.

Below is a list of ECM managed services that require private endpoints:

Azure Storage Accounts (Blob, file, queue, table)
Azure Key Vault
OpenAI Endpoints
SQL Databases
Azure Web Apps
Azure Function Apps
Azure Cosmos DB
Azure DB for Postgres SQL
Azure Kubernetes Service

Note: Services not managed by ECM will also require a private endpoint for connectivity.

Creating a Private Endpoint from the Azure portal

Search for Private Endpoints in the portal
Click to enter the Private Link Center | Private endpoints page
Click "+ Create"
Basics
- Private Endpoints name should be in line with the Resource Naming Conventions

Resource

Connection method
- Select "Connect to an Azure resource in my directory."
Select the appropriate resource for the Private Link connection.

Some resources may have a sub-resource. Review the resource list to confirm the sub resource to choose

The most current list can be found here - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource

Private-link resource name	Resource type	Sub-resources
Application Gateway	Microsoft.Network/applicationgateways	Frontend IP Configuration name
Azure AI Search	Microsoft.Search/searchServices	searchService
Azure AI services	Microsoft.CognitiveServices/accounts	account
Azure API for FHIR (Fast Healthcare Interoperability Resources)	Microsoft.HealthcareApis/services	fhir
Azure API Management	Microsoft.ApiManagement/service	Gateway
Azure App Configuration	Microsoft.Appconfiguration/configurationStores	configurationStores
Azure App Service	Microsoft.Web/hostingEnvironments	hosting environment
Azure App Service	Microsoft.Web/sites	sites
Azure Attestation Service	Microsoft.Attestation/attestationProviders	standard
Azure Automation	Microsoft.Automation/automationAccounts	Webhook, DSCAndHybridWorker
Azure Backup	Microsoft.RecoveryServices/vaults	AzureBackup, AzureSiteRecovery
Azure Batch	Microsoft.Batch/batchAccounts	batchAccount, nodeManagement
Azure Cache for Redis	Microsoft.Cache/Redis	redisCache
Azure Cache for Redis Enterprise	Microsoft.Cache/redisEnterprise	redisEnterprise
Azure Container Apps	Microsoft.App/ManagedEnvironments	managedEnvironment
Azure Container Registry	Microsoft.ContainerRegistry/registries	registry
Azure Cosmos DB	Microsoft.AzureCosmosDB/databaseAccounts	SQL, MongoDB, Cassandra, Gremlin, Table
Azure Cosmos DB for MongoDB vCore	Microsoft.DocumentDb/mongoClusters	mongoCluster
Azure Cosmos DB for PostgreSQL	Microsoft.DBforPostgreSQL/serverGroupsv2	coordinator
Azure Data Explorer	Microsoft.Kusto/clusters	cluster
Azure Data Factory	Microsoft.DataFactory/factories	dataFactory
Azure Database for MariaDB	Microsoft.DBforMariaDB/servers	mariadbServer
Azure Database for MySQL - Flexible Server	Microsoft.DBforMySQL/flexibleServers	mysqlServer
Azure Database for MySQL - Single Server	Microsoft.DBforMySQL/servers	mysqlServer
Azure Database for PostgreSQL - Flexible server	Microsoft.DBforPostgreSQL/flexibleServers	postgresqlServer
Azure Database for PostgreSQL - Single server	Microsoft.DBforPostgreSQL/servers	postgresqlServer
Azure Databricks	Microsoft.Databricks/workspaces	databricks_ui_api, browser_authentication
Azure Device Provisioning Service	Microsoft.Devices/provisioningServices	iotDps
Azure Digital Twins	Microsoft.DigitalTwins/digitalTwinsInstances	API
Azure Event Grid	Microsoft.EventGrid/domains	domain
Azure Event Grid	Microsoft.EventGrid/topics	topic
Azure Event Hub	Microsoft.EventHub/namespaces	namespace
Azure File Sync	Microsoft.StorageSync/storageSyncServices	File Sync Service
Azure HDInsight	Microsoft.HDInsight/clusters	cluster
Azure IoT Central	Microsoft.IoTCentral/IoTApps	IoTApps
Azure IoT Hub	Microsoft.Devices/IotHubs	iotHub
Azure Key Vault	Microsoft.KeyVault/vaults	vault
Azure Key Vault HSM (hardware security module)	Microsoft.Keyvault/managedHSMs	HSM
Azure Kubernetes Service - Kubernetes API	Microsoft.ContainerService/managedClusters	management
Azure Machine Learning	Microsoft.MachineLearningServices/registries	amlregistry
Azure Machine Learning	Microsoft.MachineLearningServices/workspaces	amlworkspace
Azure Managed Disks	Microsoft.Compute/diskAccesses	managed disk
Azure Media Services	Microsoft.Media/mediaservices	keydelivery, liveevent, streamingendpoint
Azure Migrate	Microsoft.Migrate/assessmentProjects	project
Azure Monitor Private Link Scope	Microsoft.Insights/privatelinkscopes	azuremonitor
Azure Relay	Microsoft.Relay/namespaces	namespace
Azure Service Bus	Microsoft.ServiceBus/namespaces	namespace
Azure SignalR Service	Microsoft.SignalRService/SignalR	signalr
Azure SignalR Service	Microsoft.SignalRService/webPubSub	webpubsub
Azure SQL Database	Microsoft.Sql/servers	SQL Server (sqlServer)
Azure SQL Managed Instance	Microsoft.Sql/managedInstances	managedInstance
Azure Static Web Apps	Microsoft.Web/staticSites	staticSites
Azure Storage	Microsoft.Storage/storageAccounts	Blob (blob, blob_secondary) Table (table, table_secondary) Queue (queue, queue_secondary) File (file, file_secondary) Web (web, web_secondary) Dfs (dfs, dfs_secondary)
Azure Synapse	Microsoft.Synapse/privateLinkHubs	web
Azure Synapse Analytics	Microsoft.Synapse/workspaces	Sql, SqlOnDemand, Dev
Azure AI Video Indexer	Microsoft.VideoIndexer/accounts	account
Azure Virtual Desktop - host pools	Microsoft.DesktopVirtualization/hostpools	connection
Azure Virtual Desktop - workspaces	Microsoft.DesktopVirtualization/workspaces	feed global
Device Update for IoT Hub	Microsoft.DeviceUpdate/accounts	DeviceUpdate
Integration Account (Premium)	Microsoft.Logic/integrationAccounts	integrationAccount
Microsoft Purview	Microsoft.Purview/accounts	account
Microsoft Purview	Microsoft.Purview/accounts	portal
Power BI	Microsoft.PowerBI/privateLinkServicesForPowerBI	Power BI
Private Link service (your own service)	Microsoft.Network/privateLinkServices	empty
Resource Management Private Links	Microsoft.Authorization/resourceManagementPrivateLinks	ResourceManagement

Virtual Network
- Networking
  - Select the Virtual Network and subnet to be used by the Endpoint and Service
- Private IP Configuration
  - Selecting "Dynamically allocate IP address" will assign an Ip address from the chosen subnet at random
  - Selecting "Statically allocate IP address" will allow you to assign a specific address from the chosen subnet if required
- Private DNS integration
  - Integrate with private DNS zone select "No" (Follow the instructions later in this article for creating the required DNS records)

Tags
- Tags should be inherited from the Subscription
Review + Create

Azure DNS Record Creation

Once the private endpoint has been created, you can create the required DNS records for resolution of the resource in Azure.

Navigate the private endpoint resource you created
Under Settings, select DNS configuration
On the DNS configuration page, select add configuration
- Subscription - Select ecmg-hub for ECM US Gov or ecm-hub for ECM Commerical
- Private DNS zone
  - Select the private DNS zone for your resource from the dropdown.
    - ECM Commerical zones reference - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#commercial
    - ECM US Government zones reference - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#government
  - NOTE: If the zones required for your resource does not exist, please contact the ECM to have to zone created.
- DNS zone group - This will be set to default
- Configuration - You may customize the default configuration name if required or accept the default.
Select Add
The DNS configuration will be added to your private endpoint and will allow for DNS resolution in Azure

Leidos DNS Record Creation

If your resource requires resolution outside of Azure, an additional DNS record needs to be created in the Leidos DNS management system. Follow the steps below to request this record creation. Note: Please contact the ECM team if you need to integrate DNS record creation with a CI/CD pipeline.

Navigate to the Leidos Corporate DNS and IP Management Form
Is this request for you or for someone else?
- Myself
Request Details
- Request a DNS Record addition, modification, or deletion
Urgency
- Choose the correct priority for your request
Select your environment
- Search for your ENV number from the list provided
- Check the box - I certify the environment selected is owned by myself or my team and is related to this record.
Select the DNS zone preferred for these changes:
- Select Internal-only (Private DNS, only accessible while on the Leidos Network)
Select the record type(s) that need to be added or modified:
- Check to box for Host record (example.leidos.com points to 10.1.1.1)
  - Enter FQDN (Fully Qualified Doman Name) of your Azure Resource then the IP address (Example: oai-ecmg-dev-01.privatelink.openai.azure.us 10.107.15.20)
    - You can find the FQDN and Ip Address for your resource on the DNS configuration page of the private endpoint for your resource.
- Note: You can enter multiple records on same form if required.
Select Submit