| title | description | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|
Use private endpoints with Azure Batch accounts |
Learn how to connect privately to an Azure Batch account by using private endpoints. |
how-to |
09/28/2020 |
references_regions |
By default, Azure Batch accounts have a public endpoint and are publicly accessible. The Batch service offers the ability to create private Batch accounts, disabling the public network access.
By using Azure Private Link, you can connect to an Azure Batch account via a private endpoint. The private endpoint is a set of private IP addresses in a subnet within your virtual network. You can then limit access to an Azure Batch account over private IP addresses.
Private Link allows users to access an Azure Batch account from within the virtual network or from any peered virtual network. Resources mapped to Private Link are also accessible on-premises over private peering through VPN or Azure ExpressRoute. You can connect to an Azure Batch account configured with Private Link by using the automatic or manual approval method.
Important
Support for private connectivity in Azure Batch is currently available for all public regions except Germany Central and Germany Northeast.
This article describes the steps to create a private Batch account and access it using a private endpoint.
Use the following steps to create a private Batch account using the Azure portal:
- From the Create a resource pane, choose Batch Service and then select Create.
- Enter the subscription, resource group, region and Batch account name in the Basics tab, then select Next: Advanced.
- In the Advanced tab, set Public network access to Disabled.
- In Settings, select Private endpoint connections and then select + Private endpoint. :::image type="content" source="media/private-connectivity/private-endpoint-connections.png" alt-text="Private endpoint connections":::
- In the Basics pane, enter or select the subscription, resource group, private endpoint resource name and region details, then select Next: Resource.
- In the Resource pane, set the Resource type to Microsoft.Batch/batchAccounts. Select the private Batch account you want to access, then select Next: Configuration. :::image type="content" source="media/private-connectivity/create-private-endpoint.png" alt-text="Create a private endpoint - Resource pane":::
- In the Configuration pane, enter or select this information:
- Virtual network: Select your virtual network.
- Subnet: Select your subnet.
- Integrate with private DNS zone: Select Yes. To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private endpoint with a private DNS zone. You can also use your own DNS servers or create DNS records by using the host files on your virtual machines.
- Private DNS Zone: Select privatelink..batch.azure.com. The private DNS zone is determined automatically. You can't change it by using the Azure portal.
- Select Review + create, then wait for Azure to validate your configuration.
- When you see the Validation passed message, select Create.
After the private endpoint is provisioned, you can access the Batch account from VMs in the same virtual network using the private endpoint. To view the IP address from the Azure portal:
- Select All resources.
- Search for the private endpoint that you created earlier.
- Select the Overview tab to see the DNS settings and IP addresses.
:::image type="content" source="media/private-connectivity/access-private.png" alt-text="Private endpoint DNS settings and IP addresses":::
When creating a Batch account by using Azure Resource Manager template, modify the template to set publicNetworkAccess to Disabled as shown below.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"batchAccountName": {
"type": "string",
},
"location": {
"type": "string",
}
},
"resources": [
{
"name": "[parameters('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"dependsOn": []
"properties": {
"poolAllocationMode": "BatchService"
"publicNetworkAccess": "Disabled"
}
}
]
}Use a private DNS zone within the subnet where you've created the private endpoint. Configure the endpoints so that each private IP address is mapped to a DNS entry.
When you're creating the private endpoint, you can integrate it with a private DNS zone in Azure. If you choose to instead use a custom domain, you must configure it to add DNS records for all private IP addresses reserved for the private endpoint.
For details on costs related to private endpoints, see Azure Private Link pricing.
When creating your private Batch account, keep in mind the following:
- Private endpoint resources must be created in the same subscription as the Batch account.
- To delete the private connection, you must delete the private endpoint resource.
- Once a Batch account is created with public network access, you can't change it to private access only.
- DNS records in the private DNS zone are not removed automatically when you delete a private endpoint or when you remove a region from the Batch account. You must manually remove the DNS records before adding a new private endpoint linked to this private DNS zone. If you don't clean up the DNS records, unexpected data plane issues might happen, such as data outages to regions added after private endpoint removal or region removal.
- Learn how to create Batch pools in virtual networks.
- Learn how to create Batch pools without public IP addresses
- Learn how to create Batch pools with specified public IP addresses.
- Learn about Azure Private Link.