> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure outbound Azure Private Link

> Set up outbound Azure Private Link for Cognite Data Fusion (CDF) to make private connections to your Azure resources.

Outbound [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview) enables CDF to make outbound connections to your subscriptions over a **private endpoint**. Traffic between your virtual network and the CDF services uses the Microsoft backbone network and isn't exposed to the public internet.

Currently, the feature is limited to outbound connections from hosted extractors in CDF to MQTT brokers in your account. Outbound Private link for hosted extractors can be enabled only for those CDF projects for which private link is enabled.

<a id="before-you-start" />

## Before you start

To configure an outbound Azure Private Link for CDF, you need:

* The private link add-on purchased and part of the customer contract.
* A network administrator or infrastructure-as-code automation with permission to create Azure Private Link service resources.

<a id="step-1" />

## Step 1: Set up the Private Link service and share the Private Link service alias/resource ID with Cognite

<Steps>
  <Step title="Create a Private Link service">
    Follow the [Azure documentation](https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal?tabs=dynamic-ip) to create a Private Link service.
  </Step>

  <Step title="Share the alias with Cognite">
    Share the [Private Link service alias](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#alias) with Cognite.

    If you use Azure Event Grid as your MQTT broker, you don't need to set up a Private Link service, but share the Azure Event Grid **resource ID** with Cognite. The resource ID has this format:

    `/subscriptions/<subscription_id>/resourceGroups/<resourcegroup_name>/providers/Microsoft.EventGrid/namespaces/<eventgridns_name>`.
  </Step>
</Steps>

<a id="step-2" />

## Step 2: Approve the private endpoint connection request

Cognite will set up a private endpoint against the Private Link service alias/resource ID, and will provide you with the **private IP address** associated with the private endpoint. You need to [approve the private endpoint request](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#manage-your-connection-requests) in the Azure portal.

The request will have the name `NNN-outbound-plink-endpoint` and the description `Cognite Data Fusion (CDF) private endpoint`.

<a id="step-3" />

## Step 3: Set up DNS and TLS and share the hostname with Cognite

<Steps>
  <Step title="Create a DNS entry">
    Create a DNS entry for the **private IP address** provided by Cognite and configure TLS. The hosted extractors in CDF uses the hostname to connect to the MQTT broker. The hosted extractors uses the default MQTT ports for communication.
  </Step>

  <Step title="Complete the configuration">
    If the MQTT broker is an Azure Eventgrid namespace, follow the [Azure documentation](https://learn.microsoft.com/en-us/azure/event-grid/assign-custom-domain-name) to configure a custom DNS and set up an a record to point to the above-mentioned private IP.
  </Step>
</Steps>
