Using Private Link Service to publish On-premises workloads by using HAProxy


This lab is based on the reference architecture: Using Private Link Service for On-premises workloads and it leverages HA-Proxy behind an Azure Load Balancer and Private Link Service. This solution will fully build the solution on the Provider side as shown in the diagram below. Therefore, you don’t need to configure any component like HAProxy, Load Balance, and Private Link Service. Most of the actions are going to be to expose On-premises web workload (On-prem VM name provider-onprem-vmlx exposed using local’s VM Nginx) by creating Private Endpoints on customer A and B and validating access via Private Link to reach the Provider’s On-premises VM.

Architecture diagram

Private Link for On-premises workloads using HA Proxy

Below some important details of each environment deployed:


  1. Virtual networks: provider-az-vnet (Azure – and provider-onprem (emulated On-premises
  2. Virtual Machines: Provider-onprem-lxvm (with IP and running Nginx) and Provider-az-lxvm (
  3. VM Scale Set: pls-ha-proxy using two instances inside haproxy subnet.
  4. Internal load standard balancer pls-std-ilb (
  5. Private Link Service: pls-haproxy using that is from subnet pls-nat-subnet.
  6. VPN Gateways and connection between Azure and On-premises environment.

Customer A and B

  1. Virtual networks: Cx(A/B)-az-vnet (Azure – and zcx(a/b)-onprem (emulated On-premises
  2. Virtual Machines: Cx(A/B)-onprem-lxvm (with IP and running Nginx) and Cx(A/B)-az-lxvm (
  3. VPN Gateways and connection between Azure and On-premises environment.

Note: All three environments use the same address space which is another benefit of Private Link Service that has built-in SNAT. Also, you can deploy each environment in different regions. As shown in the diagram above where you Provider on US Central, Customer A on East US, and Customer B on West US.

Deploy this solution

Note: The template provisioning takes approximately 25-30 minutes to complete the Provider environment and 20 minutes for each Customer environment.

Deploy To Azure

Deploy three separated environments for Provider, Customer A and Customer B using the same link by:

  1. Selecting each one of the respective environments:
  1. Set your username and password (SSH public key option coming soon).
  2. (Optional) set Public IP to restrict SSH access only using your public IP (obtain your public IP by using command curl You have to specify public IP plus CIDR, example

LAB Steps

Goal: Allow customers A and B access Provider’s On-premises web workload.

Use the steps below using Azure Portal. You need to go back and forth between Provider and Customers A and B.

  1. On the Provider side obtain the Private Link Service (PLS) alias.

  1. On Customer (A and B) side deploy Private Endpoints using Private Link Center, selecting Private endpoints (1) and adding a new one (2).

  1. Follow the wizard and make sure to paste the PLS alias from step 1.

  1. Place the private endpoint on Cx(A/B)-az-vnet on Subnet1 as shown:

  1. Review the Private endpoint on the Customer side and note that it is waiting for approval and has IP allocated by clicking on the NIC.

  1. At this point, if you try to connect over that Private endpoint connection should fail. You can try a curl on either Cx(A/B)-onprem-lxvm ( and running Nginx) and Cx(A/B)-az-lxvm (
  2. Approve Private Link connection on Provider side over pls-proxy (private link service) as shown:

  1. Try again Curl and you should have the right output. Below curl output before approval (fail to connect) and after with provider-onprem-vmlx output:





  1. Review Nginx access logs on Provider-onprem-vmlx. You should see the source IP of one of the HAProxy VMSS instances and Private Link Service (pls-haproxy) NAT IP after enabling X-FORWARDED-FOR on Nginx configuration by using option 1 of this reference guide.

Clean up

Delete Resource Groups for each one of the deployed environments.