docs-mintlify/admin/deployment/dedicated/azure/private-link.mdx
This page covers backend connectivity — Cube reaching into your network to query data sources, auth providers, BI APIs targeted by Semantic Layer Sync, and other upstream services. See Backend and frontend connectivity for the full picture. For frontend connectivity (exposing Cube's APIs to your applications, browsers, BI tools, and embedded analytics clients), see Private API Connectivity on AWS; the equivalent pattern is available on Azure on request.
</Note>Azure Private Link enables you to access Azure PaaS services and Azure-hosted customer-owned/partner services over a private endpoint in your virtual network. To set up a Private Link connection between Cube's Dedicated Infrastructure and your own VNet, you'll need to prepare a Private Link Service, share service details with the Cube team, and approve the incoming connection request.
There are two common scenarios for preparing the Private Link Service:
In the case of your own infrastructure, please follow the official Azure documentation to configure the Private Link Service behind a standard Azure Load Balancer.
If your data source is hosted in a third-party infrastructure, please follow the vendor's documentation for creating and managing a Private Link Service.
Azure Private Link Service enables you to control the visibility of your private endpoint. You'll need to configure access permissions to allow Cube to connect to your service.
To allow Cube access, please go to Azure Portal → Private Link
Services → Your service → Manage visibility and add the following
subscription ID to the allowed list: cd69336e-c628-4a88-a56e-86900a0df732.
This is the Azure subscription ID of Cube's Private Link consumer subscription. Adding it authorizes Cube to discover your Private Link Service and create a private endpoint against it; nothing else in Cube's Azure estate gains access to your network.
</Info>Alternatively, you can configure auto-approval for faster connection establishment by adding the same subscription ID to the auto-approval list under Manage auto-approval.
To request establishing a Private Link connection, please share the following information with the Cube team:
/subscriptions/abc123/resourceGroups/myResourceGroup/providers/Microsoft.Network/privateLinkServices/myservice)How your data source is addressed inside Cube depends on whether it speaks TLS:
Encrypt=true, etc.), share the
DNS name(s) the certificate is issued for — typically the same
hostname your in-network clients already use to reach it. Cube creates
internal DNS overrides inside the Dedicated Infrastructure so that the
same hostname resolves to the Private Endpoint. Keeping the original
hostname is what preserves TLS validity: the certificate's CN/SAN keeps
matching what Cube dials.The connection approval process depends on your visibility configuration:
If you haven't configured auto-approval, the Cube team will notify you once the Private Endpoint connection request is sent. You can approve it by:
Alternatively, you can approve the connection from the resource itself if it supports Private Link natively (e.g., Storage Accounts, SQL Databases).
If you've added Cube's subscription ID to the auto-approval list, the connection will be automatically approved upon creation and no manual action is required.
Once the connection is established, you can access your data source by addressing it via the DNS name(s) you supplied (TLS case) or the internal endpoint hostname returned to you by the Cube team (non-TLS case).
Azure Private Link is available in all Azure commercial regions where Dedicated Infrastructure can be provisioned. Azure operated by 21Vianet (China) and Azure Government regions are not supported.