|
| 1 | +--- |
| 2 | +title: Use private endpoints with Azure Maps |
| 3 | +description: Learn how to use private endpoints with Azure Maps. |
| 4 | +author: pbrasil |
| 5 | +ms.author: peterbr |
| 6 | +ms.date: 02/27/2026 |
| 7 | +ms.topic: conceptual |
| 8 | +ms.service: azure-maps |
| 9 | +ms.subservice: authentication |
| 10 | +--- |
| 11 | + |
| 12 | +# Use private endpoints with Azure Maps |
| 13 | + |
| 14 | +Azure Maps supports [Azure Private Link](/../private-link/private-link-overview.md), enabling secure access to Azure Maps services through a private endpoint in your virtual network. A private endpoint assigns a private IP address from your virtual network to the Azure Maps service, so traffic between your applications and Azure Maps stays on the Microsoft backbone network instead of the public internet. This provides improved security and network isolation. You can create a private endpoint when you create an Azure Maps account or add one to an existing account. |
| 15 | + |
| 16 | +## Benefits of private endpoints for Azure Maps |
| 17 | + |
| 18 | +Private endpoints provide the following benefits for Azure Maps accounts: |
| 19 | + |
| 20 | +- **No Public Internet Exposure:** You can isolate your Azure Maps account from the public internet to reduce exposure to external threats. Only clients within your private network can access the account. This can be done by blocking external access through the _publicNetworkAccess_ feature. |
| 21 | +- **Secure VNet Communication:** Resources in your virtual network (such as VMs and containers) communicate with Azure Maps **using private IP addresses**. Traffic stays within the VNet, **simplifying network security** and avoiding public networks, which helps meet internal security and compliance requirements. |
| 22 | + |
| 23 | +> [!NOTE] |
| 24 | +> All Azure Maps REST APIs (including Render, Search, Routing, and Weather) are fully supported with Private Link, with no loss of functionality. Using Azure Maps with Private Link works the same as public access, with added security. |
| 25 | +
|
| 26 | +## Prerequisites |
| 27 | + |
| 28 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin. |
| 29 | + |
| 30 | +- An [Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account). Use a Maps account and a virtual network in the **same Azure region** for optimal performance. |
| 31 | +- **A Virtual Network and Subnet**: A virtual network and subnet in your Azure subscription for the private endpoint. The subnet must have available IP addresses. |
| 32 | +- **Required permissions** |
| 33 | + - To create a private endpoint that's automatically approved, you need: |
| 34 | + - **Azure Maps Contributor** on the Azure Maps account |
| 35 | + - **Network Contributor** on the virtual network |
| 36 | + - To create a private endpoint that requires manual approval, only the **Network Contributor** role is required. |
| 37 | +- Choose whether Azure automatically manages DNS for the private endpoint using Azure Private DNS, or manage DNS manually. In most cases, Azure Private DNS provides the simplest setup. |
| 38 | + |
| 39 | +## Configure a private endpoint for Azure Maps |
| 40 | + |
| 41 | +To enable private connectivity for an Azure Maps account, create a private endpoint and configure DNS to route traffic through your virtual network. |
| 42 | + |
| 43 | +### 1. Create the private endpoint (Portal or CLI) |
| 44 | + |
| 45 | +In the Azure portal, go to **Create a resource** and search for _Private Endpoint_. You can also create a private endpoint from the **Networking** section of your Azure Maps resource. Select **Create** to open the wizard. |
| 46 | + |
| 47 | +- **Basics:** Select the proper **Subscription** and **Resource Group** for the endpoint resource and choose a Name and Region (use the same region as your VNet). |
| 48 | +- **Resource:** For **Connection method**, choose _Connect to an Azure resource in my directory_. Then set: |
| 49 | + - **Resource type** = `Microsoft.Maps/accounts`. This tells Azure you want a private link to an Azure Maps account. |
| 50 | + - **Resource** = _Your Azure Maps account name_. Pick the specific Azure Maps account |
| 51 | + - **Target sub-resource** = `mapsAccount`. Azure Maps has a single private link subresource representing the account's data plane. |
| 52 | +- **Configuration:** Select the **Virtual Network** and **Subnet** where the private endpoint is placed. Ensure the subnet has space for one IP. Leave **Private DNS integration** enabled unless you plan to configure DNS manually. With DNS integration on, Azure creates a Private DNS zone for `privatelink.account.maps.azure.com` and add the necessary DNS record automatically. |
| 53 | + |
| 54 | +Once creation is complete, go to your Azure Maps account in the portal and navigate to **Networking > Private endpoint connections**. You should see a new connection listed. If the private endpoint creator owns or has the proper permissions on the Azure Maps account, the connection is typically **auto-approved** (status shows **"Approved"**). If it shows **"Pending"**, manual approval may be required. After approval, the private link is established. |
| 55 | + |
| 56 | +#### Example – Using Azure CLI |
| 57 | + |
| 58 | +The following Azure CLI command creates a private endpoint for an Azure Maps account, equivalent to the portal steps above: |
| 59 | + |
| 60 | +```azurecli |
| 61 | +az network private-endpoint create \ |
| 62 | + --name <MyPrivateEndpointName> \ |
| 63 | + --resource-group <MyResourceGroup> \ |
| 64 | + --vnet-name <MyVNetName> \ |
| 65 | + --subnet <MySubnetName> \ |
| 66 | + --private-connection-resource-id "/subscriptions/<SubscriptionID>/resourceGroups/<MyResourceGroup>/providers/Microsoft.Maps/accounts/<MyMapsAccountName>" \ |
| 67 | + --group-id mapsAccount \ |
| 68 | + --connection-name <MyConnectionName> |
| 69 | +``` |
| 70 | + |
| 71 | +This command specifies the Maps account resource ID and the `mapsAccount` subresource, along with the virtual network and subnet used for the private endpoint. |
| 72 | + |
| 73 | +### 2. Configure DNS for the private endpoint |
| 74 | + |
| 75 | +If you enabled **Private DNS integration** when creating the private endpoint (the default), Azure automatically creates a Private DNS zone for `privatelink.account.maps.azure.com` in your subscription and links it to your virtual network. |
| 76 | + |
| 77 | +Within this zone, a DNS record maps your Azure Maps account's unique ID and region to the private IP address of the endpoint. For example, if your Maps account client ID is `abc123` and the region is `East US`, the DNS record resolves that hostname to the private endpoint IP address: |
| 78 | + |
| 79 | +- **Record name:** `abc123.eastus.account.maps.azure.com` |
| 80 | +- **Record value:** `10.x.y.z` - The private IP address assigned to the endpoint. |
| 81 | + |
| 82 | +Clients inside the virtual network resolve the hostname to a private IP address for private connectivity, while clients outside the network resolve the same hostname to the Azure Maps public endpoint. This split‑horizon DNS approach lets you use a single endpoint URL both inside and outside the virtual network. |
| 83 | + |
| 84 | +If you don't use automatic DNS integration, configure DNS manually so the Azure Maps account hostname |
| 85 | +(`<maps-account-client-id>.<location>.privatelink.account.maps.azure.com`) resolves to the private endpoint IP address within your network. For more information, see [Azure Private Endpoint DNS documentation](/../private-link/private-endpoint-dns.md). |
| 86 | + |
| 87 | +### 3. Use the private endpoint in your applications |
| 88 | + |
| 89 | +To use the private endpoint, configure your applications to call the **Azure Maps account-specific endpoint**. You can find this endpoint in the Azure Maps account **Overview** or **Authentication** pages, or in the private endpoint resource under **DNS configuration** (customer-visible FQDNs). |
| 90 | + |
| 91 | +:::image type="content" source="./media/private-endpoint/dns-configuration.png" alt-text="A screenshot showing an Azure portal sidebar menu for a private endpoint resource, highlighting the DNS configuration option under Settings. The menu includes options such as Overview, Activity log, Access control IAM, Tags, Diagnose and solve problems, Resource visualizer, Application security groups, DNS configuration, and Properties."::: |
| 92 | + |
| 93 | +The access pattern is: |
| 94 | + |
| 95 | +`https://{maps-account-client-id}.{location}.privatelink.account.maps.azure.com` |
| 96 | + |
| 97 | +> [!Important] |
| 98 | +> If your application continues to use the default Azure Maps endpoint (such as `atlas.microsoft.com`), requests won't be routed through the private endpoint. Azure Maps SDKs support overriding the default endpoint, so configure your SDK or connection code to use your Azure Maps account–specific hostname. When configured, requests from within your network are automatically routed through Private Link. |
| 99 | +
|
| 100 | +### 4. [Optional] Disable public network access |
| 101 | + |
| 102 | +Even after creating a private endpoint, your Azure Maps account's public endpoints remain active by default. This allows existing applications outside the virtual network to continue working until you intentionally restrict them. If you require **exclusive private access**, disable public network access for the Maps account. |
| 103 | + |
| 104 | +In the Azure portal, open your Maps account and go to **Networking**. Set **Public access** to **Disable** and save. Once completed, Azure Maps rejects **any** connection attempts over the public endpoint. This adds an extra layer of protection: even if someone has your Maps authentication key or SAS token, they can't use it from the internet once public access is off. |
| 105 | + |
| 106 | +> You can also disable public access via ARM templates or the Azure CLI by setting the property `publicNetworkAccess` to `Disabled`. |
| 107 | +
|
| 108 | +After disabling **Public network access**, validate connectivity from each application. Public endpoints (for example, `atlas.microsoft.com`) are blocked by design, so update all application and SDK configurations to use the private DNS endpoint. |
| 109 | + |
| 110 | +### Other considerations |
| 111 | + |
| 112 | +- **DNS Resolution:** If you can't connect to Azure Maps through the private endpoint, verify your DNS configuration, as DNS issues are a common cause of connectivity problems. |
| 113 | +- **Multiple Networks:** You can create multiple private endpoints for a single Azure Maps account to connect from different virtual networks. Each private endpoint uses one IP address from the selected subnet. |
| 114 | + |
| 115 | +Using Azure Private Link with Azure Maps keeps all application traffic on private networks. This improves security and supports enterprise network policies while maintaining full Azure Maps functionality. Azure Maps is accessed through private IP addresses and DNS, ensuring traffic remains within your controlled network boundary. |
| 116 | + |
| 117 | +Ask Copilot |
| 118 | + |
| 119 | +## Related content |
| 120 | + |
| 121 | +- [Azure Private Endpoint private DNS zone values](/../private-link/private-endpoint-dns.md) |
| 122 | +- [Azure Private Link availability](/../private-link/availability.md) |
0 commit comments