Appearance
Private Endpoints
Private endpoints give Azure PaaS services (SQL, Redis, Key Vault, ACR) a private IP address within the VNet, eliminating all public internet exposure. All Microtec environments use private endpoints for every data plane service.
Overview
Private endpoints are NICs placed in the 10.x.6.0/24 privateEndpoints subnet. DNS resolution routes service FQDNs to private IPs automatically via Azure Private DNS.
SQL Server Private Endpoint
| Property | Value |
|---|---|
| Resource | Azure SQL VM (mic-backend-shared-sql-rg) |
| Private IP (dev) | 10.0.6.4 |
| Private IP (stage) | 10.1.6.4 |
| Private IP (preprod) | 10.6.6.4 |
| Private IP (uat) | 10.5.6.4 |
| Private IP (prod) | 10.2.6.4 |
| Port | 1433 |
| Private DNS zone | privatelink.database.windows.net |
Shared SQL VM Uses a Single Public IP
The SQL VM at 20.50.120.95 is accessible from outside via SSH for administrative tasks. However, application services never connect through the public IP — they always route through the VNet private endpoint on port 1433.
DNS A record example (dev):
sql.privatelink.database.windows.net → 10.0.6.4The connection string in appsettings resolves the private DNS name automatically:
Server=mic-backend-shared-sql.database.windows.net,1433;...Azure resolves mic-backend-shared-sql.database.windows.net to mic-backend-shared-sql.privatelink.database.windows.net which resolves to the private IP within the VNet.
Redis Private Endpoint
| Property | Value |
|---|---|
| Resource | Azure Cache for Redis (per environment) |
| Port | 10000 (SSL) |
| Private DNS zone | privatelink.redis.cache.windows.net |
| Environment | Resource Name | Private IP |
|---|---|---|
| dev | mic-erp-be-dev-redis | 10.0.6.5 |
| stage | mic-erp-be-stage-redis | 10.1.6.5 |
| preprod | mic-erp-be-preprod-redis | 10.6.6.5 |
| uat | mic-erp-be-uat-redis | 10.5.6.5 |
| production | mic-erp-be-prod-redis | 10.2.6.5 |
When a microservice connects to mic-erp-be-stage-redis.uksouth.redis.azure.net:10000, the DNS chain resolves:
mic-erp-be-stage-redis.uksouth.redis.azure.net
→ mic-erp-be-stage-redis.privatelink.redis.cache.windows.net
→ 10.1.6.5 (private IP in stage privateEndpoints subnet)No traffic leaves the VNet. The Redis public endpoint is disabled on all environments.
Key Vault Private Endpoint
| Property | Value |
|---|---|
| Port | 443 (HTTPS) |
| Private DNS zone | privatelink.vaultcore.azure.net |
| Environment | Key Vault | Private IP |
|---|---|---|
| dev | mic-erp-be-dev-skv | 10.0.6.6 |
| stage | mic-erp-stg-kv | 10.1.6.6 |
| preprod | mic-erp-be-preprod-skv | 10.6.6.6 |
| uat | mic-erp-uat-kv | 10.5.6.6 |
| production | (production KV name) | 10.2.6.6 |
Key Vault keyvaultref: environment variable injection in Container Apps resolves via the private endpoint — the CAE runtime reads secrets through the VNet without traversing the internet.
Key Vault Firewall
Key Vault is configured with Allow trusted Microsoft services to bypass this firewall: On and a VNet-specific allowlist. The public network access is Disabled on all environments. This means Key Vault is only reachable from within the VNet private endpoint or from Azure DevOps pipeline agents that are VNet-peered.
ACR Private Endpoint
| Property | Value |
|---|---|
| Port | 443 (HTTPS) |
| Private DNS zone | privatelink.azurecr.io |
| Environment | ACR | Private IP |
|---|---|---|
| dev | micerpbedevacr | 10.0.6.7 |
| stage | micerpbestageacr | 10.1.6.7 |
| preprod | micerpbepreprodacr | 10.6.6.7 |
| uat | micerpbeuatacr | 10.5.6.7 |
| production | micerpbeprdacr | 10.2.6.7 |
Container App Environments pull images from ACR through the private endpoint. The ACR admin account is disabled; authentication uses user-assigned managed identities with the AcrPull role.
ACR also has a private endpoint for the data subdomain (used for blob layer pulls):
Private DNS zone: privatelink.azurecr.io
Records:
micerpbedevacr.azurecr.io → 10.0.6.7
micerpbedevacr.uksouth.data.azurecr.io → 10.0.6.8Private DNS Zone Configuration
Each private DNS zone is linked to the VNet of every environment:
| DNS Zone | Linked VNets | Purpose |
|---|---|---|
privatelink.database.windows.net | All env VNets | SQL |
privatelink.redis.cache.windows.net | All env VNets | Redis |
privatelink.vaultcore.azure.net | All env VNets | Key Vault |
privatelink.azurecr.io | All env VNets | ACR |
Zones are managed in a dedicated resource group mic-erp-be-shared-dns-rg and linked to each environment VNet:
bicep
resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: privateDnsZone
name: '${vnetName}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: vnet.id
}
}
}Verifying Private Endpoint Resolution
From within a microservice container (exec into a running Container App):
bash
# Should return a 10.x.6.x address, not a public IP
nslookup mic-erp-be-stage-redis.uksouth.redis.azure.net
# Should return a 10.x.6.x address
nslookup mic-erp-stg-kv.vault.azure.net
# Connectivity test
nc -zv mic-erp-be-stage-redis.uksouth.redis.azure.net 10000If nslookup returns a public IP instead of a private one, the private DNS zone VNet link is missing or misconfigured.