As organizations adopt hybrid cloud architectures, many expect Azure Local (formerly Azure Stack HCI with Azure Arc–enabled infrastructure) to mirror the full breadth of Azure networking capabilities. One of the most common points of confusion arises around Azure Private Endpoints. Although Private Link is a cornerstone of secure connectivity within Azure, Microsoft’s documentation makes it clear that Azure Local does not support Private Endpoints.
Azure Private Endpoints are built entirely on Azure’s internal networking fabric. They rely on Azure virtual networks, Azure-managed network interfaces, and routing through the Azure backbone. When a private endpoint is created, Azure injects a private IP into a VNet and binds it to a PaaS service. All traffic then flows privately within Azure’s controlled environment. This model is inseparable from Azure’s own infrastructure.
Azure Local operates in a fundamentally different context.
It runs inside an organization’s datacenter, on its own physical network, and connects to Azure exclusively through outbound HTTPS. It does not host Azure VNets, Azure NICs, or any of the routing constructs required for Private Link. Even the Azure Arc gateway—designed to centralize and reduce outbound connectivity—functions as a forward proxy, not as a Private Link endpoint. It still communicates with Azure’s public service endpoints rather than private ones.
This separation means Azure Local cannot participate in Azure’s private routing fabric. Its security model is built instead on outbound-only communication, certificate-based authentication, and tightly controlled firewall rules. While this approach differs from Private Link, it is purpose-built for hybrid environments where Azure services must be reachable securely without extending Azure’s internal network into on-premises infrastructure.
Azure Local and Azure Private Endpoints therefore represent two parallel connectivity models, each optimized for its own environment. Azure Local emphasizes secure outbound communication from on-premises systems, while Private Link provides private, in-Azure connectivity for cloud-native workloads. Understanding this distinction helps organizations design hybrid architectures that align with the capabilities and intent of each platform.
IT Professional on a journey to discover the cloud platforms and become certified and an expert.
A Blog that follows the journey to get to the Cloud.
Azure Local | Azure Bicep | Azure Virtual Desktop | Powershell | Azure Certified | MCSA | Microsoft 365
