AirGap in another Azure Tenant

  • 16 May 2023
  • 1 reply

Badge +1

Hi all,
We are creating an AirGap Solution towards another Azure tenant.
The AirGap solution contains multiple Network Gateways and MediaAgents with Storage Accounts attached.

1. Does anyone have experience using a Azure Private Link Service to sent AirGap Copies using the Azure Backbone Network?
2. If yes, how did you configure the Azure Load Balancing?

How I think it’s working:


1 reply

Userlevel 2
Badge +3

Hi Vjduuren,


I’ve used a Private link and load balancer to install Commvault software as the diagram below (the goal was to install Commvault software on (left side) when Commserve resides on the right side (different subscription), and the only way to go through is the Azure Private link that connects between them. 


Even if it’s a different operation (install vs Aux copy in your case), it goes through the private link from site a (Company.BV in your case, my example subscription f90) to site b (Recovery.BV in your case, my example subscription 710), so I believe it’s essentially the same if you want to know how to configure the private link and load balancer between them.


Where is your Commserve located? If it’s on Company.BV, and you haven’t installed Media agent on Recovery.BV, please see below on how to install & how to configure. 


I’ll just copy and paste my note (note for installation). If you have finished installation, please skip installation part and see the Azure configuration part. 


Directly Copied from my note, please adjust to your environment______________________

In this example diagram above, consumer side (left) represents end customer and Provider side (right) represents MSP who provides backup as service.


CS will reside in MSP Azure network and end customer will use this CS and resources on MSP to protect their data (for example, WFS on 


The purpose of Azure Private endpoint and Azure Private link is to connect to Provider's side network through Microsoft backbone network ( ====> in the diagram under 2.Azure private link). This will prevents traffic from going through the Internet. 


Consumer will have 1. "Private endpoint" on their side, and this will go through 2. "Azure Private link" to reach to 3. "Private link service" on Provider side. The Private link service is attached to 4. "Standard load balancer". All traffic destined for this service will reach the frontend of the SLB (Standard Load Balancer). SLB will have SLB rules that will direct this traffic to appropriate 5. VMs (CS) or any services in backend pools. Backend pools basically means something behind Load balancer. 


When consumer ( tries to connect to CS ( through their private endpoint (, it will be NATed and will use NAT IP ( to communicate with CS ( 


When consumer ( installs iDA (WFS iDA for example), in this example above, they will select "this machine can open connection to CommServe on tunnel port" pastedImage_8.png


Then put CommServe hostname as private endpoint IP (



When the one way firewall from to is established during installation,


netstat on CS would show:


netstat on would show:



If it's Proxy instead of CS that's behind SLB, they would need to select "The CommServe computer can only be reached through a network gateway" and put proxy hostname as during installation. 



In the example, I put private endpoint hostname as IP but you can have FQDN.


Configuration (on Azure) in a nut shell: 


Provider side:

1. Create SLB

2. Create VM (CS), and during creation, select the option to put behind SLB

3. Create Private link service, and when creating it, specify NAT IP (or leave it to dynamic) and select SLB created above. Ensure Private link service accepts traffic from the other subscription. 

4. Specify SLB rule to port forward traffic to CS in backend pools. 


Consumer side:

1. Create Private endpoint and when creating it, specify Private link service on the provider network 


Configuration with screenshots:


Provider side:


1. Login to and click 'Create a resource'


2. Type load balancer


3. Click Create


4. Create with 'standard'. Internal will have internal frontend IP and external will have public frontend IP. Specify the subnet in this example. 




While creating VM, on 'Networking', select load balancer. You can create backend pool by using 'Create new' if you don't have existing one. 







Private link service: 

1. "Create a resource" and select "Private link service (your service) "


2. Click Create


3. Put name 


4. Select SLB


5. On Access Security, select 'Restricted by subscription' and add subcription



7. Then add other side subscription 



8. Leave it to auto approve and click 'Review + Create' 



Specify on SLB to forward traffic to CS

1. Go to SLB > Inbound NAT rules > Add



2. Port mapping default will forward from to



You can change it to 'Custom' so it forwards to



Consumer side:

Private endpoint:

1. Click 'Create a resource'

2. Type Private endpoint


3. Click create



4. Specify the name 



5. If it's in your directory (it is because it's in my lab), select that option, or you can connect by resource ID/alias. Specify privateLinkService on the other side.  



How to get alias for private link service you've created:

Go to private link service you've created and it's on Overview tab: 



6. Specify Network (your side 


7. Click Review + create. 


What it should look like (for cross check)

Provider side:

1. Private link service

NAT IP in same network as NAT subnet, Load balancer pointing to correct load balancer



2. Private link accepting traffic from the other side (subscription_f90)



3. Load balancer 

NAT rule has rule that forwards to CS on port 8403. 



Consumer side:

Private endpoint pointing to correct private link service in provider side




It was from 2020 so the GUI above may look different on today’s Azure portal (should be really similar though).


if anything is unclear, please let me know, and I’ll try to remember. 


Thank you. 

Kind regards,

Jiye Lee