Configure private endpoints for Device Update for IoT Hub accounts

You can use private endpoints to allow traffic directly from your virtual network to your account securely over a private link without going through the public internet. The private endpoint uses an IP address from the VNet address space for your account. For more conceptual information, see Network security.

This article describes how to configure private endpoints for accounts.

You can either use the Azure portal or the Azure CLI to create a private endpoint for an account.

Prerequisites

Azure portal

No prerequisites for the Azure portal.

Azure CLI

An Azure CLI environment:

• Use the Bash environment in Azure Cloud Shell.

  

• Or, if you prefer to run CLI reference commands locally, install the Azure CLI

  • Sign in to the Azure CLI by using the az login command.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

  • When prompted, install Azure CLI extensions on first use. The commands in this article use the azure-iot extension. Run az extension update --name azure-iot to make sure you're using the latest version of the extension.

Configure private endpoints from the Device Update account

In the Azure portal, you can create a new private endpoint from within the Device Update account. These private endpoint connections are auto-approved and don't need the extra steps of being reviewed and approved described in the rest of this article.

1. Sign in to the Azure portal and navigate to your account or domain.

2. Switch to the Networking tab of your account page. If you want to limit the access to only the private endpoint, disable the Public Network Access.

3. Switch to the Private Access tab, and then select + Add on the toolbar.

   

4. On the Basics page, provide the following information for your private endpoint:

   • Subscription: The Azure subscription in which you want to create the private endpoint.

   • Resource group: An existing or new resource group for the private endpoint.

   • Name: A name for the endpoint. This value is used to auto-generate the Network interface name.

   • Region: An Azure region for the endpoint. Your private endpoint must be in the same region as your virtual network, but can in a different region from the Device Update account.

     

5. The Resource page is auto-populated

   

6. On the Virtual Network page, select the subnet and virtual network where you want to deploy the private endpoint.

   • Virtual network: Only virtual networks in the currently selected subscription and location are listed in the drop-down list.

   • Subnet: Select a subnet in the virtual network you selected.

     

7. On the DNS page, use the pre-populated values unless you're using your own custom DNS.

   

8. On the Tags page, create any tags (names and values) that you want to associate with the private endpoint resource.

9. On the Review + create page, review all the settings and select Create to create the private endpoint.

Configure private endpoints from the Private Link Center

If you don't have access to the Device Update account, you can create private endpoints from the Private Link Center. In the case that the user creating the connection doesn't have the power to also approve it, the connection will be created in the pending state.

You can use either the Azure portal or the Azure CLI to create private endpoints.

Azure portal

1. From the Azure portal, navigate to Private Link Center > Private Endpoints and select +Create.

   

2. On the Basics page, provide the following information for your private endpoint:

   • Subscription: The Azure subscription in which you want to create the private endpoint.
   • Resource group: An existing or new resource group for the private endpoint.
   • Name: A name for the endpoint. This value is used to auto-generate the Network interface name.
   • Region: An Azure region for the endpoint. Your private endpoint must be in the same region as your virtual network, but can in a different region from the Device Update account.

3. Fill all the required fields on the Resource tab

   • Connection method: Select Connect to an Azure resource by resource ID or alias.
   • Resource ID or alias: Enter the Resource ID of the Device Update account. You can retrieve the resource ID of a Device Update account from the Azure portal by selecting JSON View on the Overview page. Or, you can retrieve it by using the az iot du account show command and querying for the ID value: az iot du account show -n <account_name> --query id.
   • Target sub-resource: Value must be DeviceUpdate

   

4. On the Virtual Network page, select the subnet and virtual network where you want to deploy the private endpoint.

   • Virtual network: Only virtual networks in the currently selected subscription and location are listed in the drop-down list.
   • Subnet: Select a subnet in the virtual network you selected.

5. On the DNS page, use the pre-populated values unless you're using your own custom DNS.

6. On the Tags page, create any tags (names and values) that you want to associate with the private endpoint resource.

7. On the Review + create page, review all the settings and select Create to create the private endpoint.

Azure CLI

Use the az network private-endpoint create command to create a private endpoint.

Replace the following placeholders with your own information:

• RESOURCE_GROUP_NAME: Name of the resource group.
• PRIVATE_ENDPOINT_NAME: Name of the private endpoint.
• PRIVATE_LINK_CONNECTION_NAME: Name of the private link service connection.
• VIRTUAL_NETWORK_NAME: Name of an existing virtual network associated with the subnet.
• SUBNET_NAME: Name or ID of an existing subnet. If you use a subnet name, then you also need to include the virtual network name. If you use a subnet ID, you can omit the --vnet-name parameter.
• DEVICE_UPDATE_RESOURCE_ID: You can retrieve the resource ID of a Device Update account from the Azure portal by selecting JSON View on the Overview page. Or, you can retrieve it by using the az iot du account show command and querying for the ID value: az iot du account show -n <account_name> --query id.
• LOCATION: Name of the Azure region. Your private endpoint must be in the same region as your virtual network, but can in a different region from the Device Update account.

az network private-endpoint create \
    --resource-group <RESOURCE_GROUP_NAME> \
    --name <PRIVATE_ENDPOINT_NAME> \
    --connection-name <PRIVATE_LINK_CONNECTION_NAME> \
    --vnet-name <VIRTUAL_NETWORK_NAME> \
    --subnet <SUBNET_NAME> \
    --private-connection-resource-id "<DEVICE_UPDATE_RESOURCE_ID> \
    --location <LOCATION> \
    --group-id DeviceUpdate
    --request-message "Optional message"
    --manual-request

You can delete a private endpoint with the az network private-endpoint delete command.

az network private-endpoint delete --resource-group <RESOURCE_GROUP_NAME> --name <PRIVATE_ENDPOINT_NAME>

Manage private link connections

When you create a private endpoint awaiting the manual approval, the connection must be approved before it can be used. If the resource for which you're creating a private endpoint is in your directory, you can approve the connection request provided you have sufficient permissions. If you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request.

There are four provisioning states:

Service action	Service consumer private endpoint state	Description
None	Pending	Connection is created manually and is pending approval from the private Link resource owner.
Approve	Approved	Connection was automatically or manually approved and is ready to be used.
Reject	Rejected	Connection was rejected by the private link resource owner.
Remove	Disconnected	Connection was removed by the private link resource owner, the private endpoint becomes informative and should be deleted for cleanup.

Azure portal

Review a pending connection from the Device Update account

1. From the Azure portal, navigate to the Device Update account that you want to manage.

2. Select the Networking tab.

3. If there are any connections that are pending, you'll see a connection listed with Pending in the provisioning state.

   

4. Use the checkbox to select the pending connection, then select either Approve or Reject.

Review a pending connection from the Private Link Center

1. From the Azure portal, navigate to Private Link Center > Pending connections.

2. Use the checkbox to select the pending connection, then select either Approve or Reject.

   

Azure CLI

Use the az iot du account private-endpoint-connection set command to manage private endpoint connection.

Replace the following placeholders with your own information:

• ACCOUNT_NAME: Name of the Device Update account.
• PRIVATE_LINK_CONNECTION_NAME: Name of the private link service connection.
• STATUS: Either Approved or Rejected.

az iot du account private-endpoint-connection set \
    --name <ACCOUNT_NAME> \
    --connection-name <PRIVATE_LINK_CONNECTION_NAME> \
    --status <STATUS> \
    --desc 'Optional description'

Next steps

Learn about network security concepts.