> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cube.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting up Azure Private Link

> How to publish an Azure Private Link Service and coordinate the connection so Cube's Dedicated Infrastructure reaches your VNet privately.

<Note>
  This page covers **backend connectivity** — Cube reaching into your network to
  query data sources, auth providers, BI APIs targeted by Semantic Layer Sync,
  and other upstream services. See
  [Backend and frontend connectivity][backend-frontend] for the full picture.
  For **frontend connectivity** (exposing Cube's APIs to your applications,
  browsers, BI tools, and embedded analytics clients), see
  [Private API Connectivity on AWS][aws-private-api-connectivity]; the
  equivalent pattern is available on Azure on request.
</Note>

[Azure Private Link][azure-docs-private-link] enables you to access Azure
PaaS services and Azure-hosted customer-owned/partner services over a private
endpoint in your virtual network. To set up a Private Link connection between
Cube's Dedicated Infrastructure and your own VNet, you'll need to prepare a
Private Link Service, share service details with the Cube team, and approve
the incoming connection request.

<Note>
  **Dedicated Infrastructure vs. Bring Your Own Cloud.** The flow described on
  this page — sharing service details with the Cube team and letting Cube create
  the private endpoint and DNS overrides — applies to
  [Dedicated Infrastructure][cube-region] operated by Cube.

  In a [Bring Your Own Cloud (BYOC)][azure-byoc] deployment, the Cube VNet lives
  in **your own Azure subscription**, so you own the networking. The role granted
  to the Cube Operator does not include permissions to manage Private DNS Zones,
  which means Cube cannot create the private endpoint or the DNS override on
  your behalf. In BYOC, create the private endpoint in the Cube VNet against the
  provider's Private Link Service Resource ID yourself, then create a Private DNS
  Zone for the TLS hostname and link it to the Cube VNet.
</Note>

## Preparing the Private Link Service

There are two common scenarios for preparing the Private Link Service:

* Connecting to a service in your Azure infrastructure
* Connecting to a service provided by a third party such as Snowflake,
  Databricks, Confluent Cloud, etc.

In the case of your own infrastructure, please follow the
[official Azure documentation][azure-docs-private-link-service] to configure
the Private Link Service behind a standard Azure Load Balancer.

If your data source is hosted in a third-party infrastructure, please follow
the vendor's documentation for creating and managing a Private Link Service.

## Configuring service visibility

Azure Private Link Service enables you to control the visibility of your
private endpoint. You'll need to configure access permissions to allow Cube
to connect to your service.

To allow Cube access, please go to **Azure Portal** → **Private Link
Services** → **Your service** → **Manage visibility** and add the following
subscription ID to the allowed list: `cd69336e-c628-4a88-a56e-86900a0df732`.

<Info>
  This is the Azure subscription ID of Cube's Private Link consumer
  subscription. Adding it authorizes Cube to discover your Private Link
  Service and create a private endpoint against it; nothing else in Cube's
  Azure estate gains access to your network.
</Info>

Alternatively, you can configure auto-approval for faster connection
establishment by adding the same subscription ID to the auto-approval list
under **Manage auto-approval**.

## Gathering required information

To request establishing a Private Link connection, please share the following
information with the Cube team:

* **Private Link Service Resource ID** (such as
  `/subscriptions/abc123/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateLinkServices/myservice`)
* **Reference Name** for the record (such as "Snowflake-prod" or
  "databricks-dev")
* **Ports**: a list of ports that will be accessed through this connection
* **DNS Name(s)**: see [DNS and TLS](#dns-and-tls) below
* **Cube Region:** Private Link requires Cube to be hosted on
  [Dedicated Infrastructure][cube-region]. Specify which Cube Region should
  host your Dedicated Infrastructure.

## DNS and TLS

How your data source is addressed inside Cube depends on whether it speaks
TLS:

* **If the service uses TLS** (HTTPS, JDBC `Encrypt=true`, etc.), share the
  **DNS name(s)** the certificate is issued for — typically the same
  hostname your in-network clients already use to reach it. Cube creates
  internal DNS overrides inside the Dedicated Infrastructure so that the
  same hostname resolves to the Private Endpoint. Keeping the original
  hostname is what preserves TLS validity: the certificate's CN/SAN keeps
  matching what Cube dials.
* **If the service does not use TLS** and you don't supply a DNS name, the
  Cube team will share back an internal endpoint hostname (e.g. an
  Azure-assigned private-endpoint DNS name) that you can configure as the
  upstream when you wire the connection into Cube.

## Approving the connection

The connection approval process depends on your visibility configuration:

### Manual approval

If you haven't configured auto-approval, the Cube team will notify you once
the Private Endpoint connection request is sent. You can approve it by:

1. Going to **Azure Portal** → **Private Link Center** → **Private Link
   Services** → **Your Service** → **Private endpoint connections**.
2. Finding the pending connection from Cube.
3. Clicking **Approve** and optionally providing an approval message.

Alternatively, you can approve the connection from the resource itself if it
supports Private Link natively (e.g., Storage Accounts, SQL Databases).

### Auto-approval

If you've added Cube's subscription ID to the auto-approval list, the
connection will be automatically approved upon creation and no manual action
is required.

## Using the connection

Once the connection is established, you can access your data source by
addressing it via the DNS name(s) you supplied (TLS case) or the internal
endpoint hostname returned to you by the Cube team (non-TLS case).

## Supported Regions

Azure Private Link is available in all Azure commercial regions where
Dedicated Infrastructure can be provisioned. Azure operated by 21Vianet
(China) and Azure Government regions are not supported.

[azure-docs-private-link]: https://docs.microsoft.com/azure/private-link/

[azure-docs-private-link-service]: https://docs.microsoft.com/azure/private-link/create-private-link-service-portal

[cube-region]: /admin/deployment/infrastructure#understanding-cube-cloud-region

[azure-byoc]: /admin/deployment/dedicated/azure/byoc

[aws-private-api-connectivity]: /admin/deployment/dedicated/aws/private-api-connectivity

[backend-frontend]: /admin/deployment/dedicated#backend-and-frontend-connectivity
