Azure Private Link Service (PLS) has long been the go-to option for exposing your services privately to consumers across Azure — ensuring that traffic never crosses the public internet.
Until recently, this required a Standard Load Balancer to sit in front of your service. That setup worked well, but it added complexity and limited flexibility, especially in hybrid or custom routing scenarios.
Now, with Private Link Service Direct Connect, Microsoft has simplified the model. You can route traffic directly to any privately routable IP address, removing the dependency on load balancers altogether.
This new feature opens the door to several use cases — from simplifying secure hybrid connections to enabling private access to third-party SaaS and appliances.
What’s New with Direct Connect
Here’s what changes with the Direct Connect model:
| Capability | Description |
|---|---|
| Direct IP Routing | You can now route traffic straight to a private IP address within your VNet — no load balancer required. |
| Simpler Configuration | Reduces infrastructure footprint and simplifies maintenance. |
| Custom Routing | Gives full control over destination routing paths and traffic flow. |
| New Use Cases | Ideal for on-premises integration, SaaS connectivity, and network virtual appliances. |
Lab (PowerShell): Create PLS Direct Connect + Private Endpoint
Region choice matters. Pick one of the supported regions above. The script below uses
westusas per Learn.
1) Create the Private Link Service (Direct Connect)
# Define variables
$resourceGroupName = “rg-pls-directconnect”
$location = “westus”
$vnetName = “pls-vnet”
$subnetName = “pls-subnet”
$plsName = “pls-directconnect”
$destinationIP = “10.0.1.100”
# Create resource group
New-AzResourceGroup -Name $resourceGroupName -Location $location
# Create virtual network (note the disabled network policies for PLS)
$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix “10.0.1.0/24” -PrivateLinkServiceNetworkPoliciesFlag “Disabled”
$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix “10.0.0.0/16” -Subnet $subnet
# Get subnet reference
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
# Create IP configurations for the PLS (minimum 2, multiples of 2)
$ipConfig1 = @{
Name = “ipconfig1”
PrivateIpAllocationMethod = “Dynamic”
Subnet = $subnet
Primary = $true
}
$ipConfig2 = @{
Name = “ipconfig2”
PrivateIpAllocationMethod = “Dynamic”
Subnet = $subnet
Primary = $false
}
# Create Private Link Service Direct Connect
$pls = New-AzPrivateLinkService `
-Name $plsName `
-ResourceGroupName $resourceGroupName `
-Location $location `
-IpConfiguration @($ipConfig1, $ipConfig2) `
-DestinationIpAddress $destinationIP
Write-Output “Private Link service created successfully!”
Write-Output “Private Link service ID: $($pls.Id)”
Write-Output “Destination IP Address: $destinationIP”
2) Create a Private Endpoint (Consumer) to test connectivity
# Variables for Private Endpoint
$peResourceGroupName = “rg-pe-test”
$peVnetName = “pe-vnet”
$peSubnetName = “pe-subnet”
$privateEndpointName = “pe-to-pls”
$privateLinkserviceId = “/subscriptions/your-subscription-id/resourceGroups/rg-pls-destinationip/providers/Microsoft.Network/privateLinkservices/pls-directconnect”
# Reuse the same $location as the PLS (must be SAME region)
New-AzResourceGroup -Name $peResourceGroupName -Location $location
# Create VNet for Private Endpoint (disable PE network policies)
$peSubnet = New-AzVirtualNetworkSubnetConfig -Name $peSubnetName -AddressPrefix “10.1.1.0/24” -PrivateEndpointNetworkPoliciesFlag “Disabled”
$peVnet = New-AzVirtualNetwork -Name $peVnetName -ResourceGroupName $peResourceGroupName -Location $location -AddressPrefix “10.1.0.0/16” -Subnet $peSubnet
# Get subnet reference
$peSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $peVnet -Name $peSubnetName
# Create Private Endpoint and link to the PLS
$privateLinkserviceConnection = @{
Name = “connection-to-pls”
PrivateLinkServiceId = $privateLinkserviceId
}
$privateEndpoint = New-AzPrivateEndpoint `
-Name $privateEndpointName `
-ResourceGroupName $peResourceGroupName `
-Location $location `
-Subnet $peSubnet `
-PrivateLinkServiceConnection $privateLinkserviceConnection
Write-Output “Private Endpoint created: $($privateEndpoint.Name)”
3) Verify configuration
# Get Private Link service details
$pls = Get-AzPrivateLinkService -Name $plsName -ResourceGroupName $resourceGroupName
Write-Output “Private Link service: $($pls.Name)”
Write-Output “Provisioning State: $($pls.ProvisioningState)”
Write-Output “Destination IP: $($pls.DestinationIpAddress)”
Write-Output “IP Configurations: $($pls.IpConfigurations.Count)”
# Check Private Endpoint connections
$connections = $pls.PrivateEndpointConnections
foreach ($connection in $connections) {
Write-Output “PE Connection: $($connection.Name) – Status: $($connection.PrivateLinkServiceConnectionState.Status)”
}
Cleanup (optional)
Remove-AzResourceGroup -Name $peResourceGroupName -Force
Remove-AzResourceGroup -Name $resourceGroupName -ForceScenarios Unlocked
Here are some practical examples where Direct Connect shines:
- On-premises via VPN/ExpressRoute: Connect internal apps directly to Azure resources through Private Link.
- Third-party SaaS: Offer private connectivity to your customers without deploying extra infrastructure.
- Virtual Appliances: Route traffic securely to network appliances like firewalls or proxies.
Summary
Azure Private Link Service Direct Connect removes the need for a load balancer, making private connectivity simpler, faster, and more flexible.
It’s a great enhancement for hybrid and partner connectivity scenarios — giving you more control without increasing complexity.
Learn more: Azure Private Link Service Direct Connect (Microsoft Learn)
Get Practical 