Sunday, 16 June 2024

Azure Private Link endpoint

 

Azure Private Link endpoint

This guide is for Azure tenants intending to establish connectivity to SHIP-HATS services via Azure Private Link service.

Following are the steps involved when you set up Azure Private Link endpoints.

StepTaskOwner
1Create Azure Private LinksUser
2Submit Approval RequestSA or PA
3Create Private DNS ZonesUser
4Verify Azure private link endpoint connectivityUser
5Switch endpoint. This is applicable only if you are upgrading your IPsec Tunnel to Azure Private Link.User

Following is the high-level architecture diagram for this.

azure-private-link-endpoint

This section guides you to create Azure private links for the required.

This section guides you to create private link endpoint for services such as Nexus and SonarQube.

  1. On the Azure console, go to Private Link > Private Endpoints.

  2. Provide the following details on the Basics tab. Create-private-link-basic

    FieldInformation
    Resource groupSelect the required resource group.
    NameSpecify your <PROJECT_NAME>-<ENV>-to-ship-appgw-pl. This is necessary for approving the request.
    RegionSelect Southeast Asia.
  3. Click Next: Resource.

  4. Provide the following details on the Resources tab. Create-private-link-resources

    FieldInformation
    Connection MethodChoose Connect to an Azure resource by resource ID or alias.
    Resource ID or AliasSpecify /subscriptions/0bf6396d-d121-42c6-aa7f-37f39cc52de7/resourceGroups/shiphats-prod-privatelink/providers/Microsoft.Network/applicationGateways/shiphats-prod-proxy-appgw.
    Target Sub-ResourceSpecify PrivateFrontendIp.
    Request MessageSpecify Request from <PROJECT_NAME>.
  5. Click Next: Virtual Network.

  6. Provide the following details on the Virtual Network tab. Create-private-link-virtual-network

FieldInformation
SubnetSelect the required subnet to provision the private endpoint.
Private IP configurationChoose Dynamically allocate IP address.
  1. Click Next:DNS and specify the required details for DNS and Tags tabs.
  2. Proceed to Review + Create to review the details.
  3. Click Create.

- At this stage, status of the private links will be pending.
- Submit the SHIP-HATS 2.0 Azure Private Link Approval request as a technical support request.
- After approval, proceed to Create Private DNS zones.

Step 2: Submit Approval Request

SA or PA must submit the SHIP-HATS 2.0 Azure Private Link Approval request as a technical support request. If they are unable to submit the request directly, ensure an approval from either of them is attached to the request.

Step 3: Create Private DNS Zones

The Azure Private DNS zone is required to resolve the subdomains to the Private Link endpoint IP in the linked virtual network.

Prerequisite

  • Get Private IP of the Azure Private Endpoints. To get this, go to Private Link > Private endpoints. Take note of the Private IP of the Private endpoints that you had created.
  • Your Azure Private Link request must have been approved.
  • Azure Private Link request must have been approved.

To create private DNS zone

  1. On the Azure console, click Private DNS zones > Create.
  2. Provide the following details on the Basics tab. Create-private-dns-zone
FieldInformation
Resource GroupSelect the required resource group.
NameEnter ship.gov.sg.
  1. [Optional] Specify the required details in Tags and proceed to Review create.

  2. Click Review create to create the private DNS zone.

  3. After creating the ship.gov.sg DNS zone, go to the created private DNS zone and click + Record set.

    private-dns-zone-record-set

  4. Specify the appropriate record Name based on the information provided in the following table.

    DNS ZoneName
    ship.gov.sg*
    hats.stack.gov.sg*
    sgts.gitlab-dedicated.comregistry
    sgts.gitlab-dedicated.com@

Using wildcards * for ‘ship.gov.sg’ and ‘hats.stack.gov.sg’ in the record sets simplifies the process by creating a flexible mapping for all subdomains under these domains. For instance, employing the wildcard * for ‘ship.gov.sg’ allows the Private DNS zone to dynamically resolve subdomains like nexus.ship.gov.sg and https://sonar1.hats.stack.gov.sg (sonarqube Enterprise) to their respective private link endpoints.

  1. Specify the private IP of the corresponding private link.

The IP 100.73.109.4 shown in the screenshot is for illustrative purposes.

  1. Click OK.
  2. Link the GitLab Runner VNet to the private hosted zone. vnet
  3. Repeat steps 6-9 for the following domains:
    • hats.stack.gov.sg
    • sgts.gitlab-dedicated.com

This step is applicable for users who are creating a new Azure Private Link endpoint. If you are upgrading your existing IPsec Tunnel to Azure Private Link endpoint, refer to Switch endpoint.

Verify your connectivity to ensure if it is resolving to Azure Private Link endpoint IP and getting a response.

To verify Azure Private Link endpoint connectivity

  1. Log in to a virtual machine.
  2. Verify connectivity with the following curl commands:
curl -v https://sgts.gitlab-dedicated.com
curl -v https://sonar.hats.stack.gov.sg
curl -v https://nexus-docker.ship.gov.sg
  1. Confirm the pipeline jobs are working as expected.

Step 5: Switch endpoint

The following steps are applicable only if you’ve upgraded your IPsec Tunnel to Azure Private Link endpoint.

This step will cause downtime in the CI/CD pipelines. Please switch the endpoint during planned maintenance.

  1. Remove the SHIP-HATS nameservers from the VM’s network interface and restart the VM to take effect.
  2. Create Azure Private DNS zone to point the hostnames to the Private Link endpoint IP.
  3. Log in to a virtual machine.
  4. Verify connectivity with the following curl commands:
curl -v https://sgts.gitlab-dedicated.com
curl -v https://sonar.hats.stack.gov.sg
curl -v https://nexus-docker.ship.gov.sg
  1. Confirm the pipeline jobs are working as expected.