Product UpdatesStatus PageWorkato Academy
English
Get a trial
Data & security
Private connectivity

# Azure Private Link

FEATURE AVAILABILITY

Azure Private Link connectivity is available to direct customers and embed partners on specific pricing plans. Refer to your pricing plan and contract to learn more.

Azure Private Link (opens new window) connections provide secure access to OPA-capable connectors and Workato's API platform by ensuring that network traffic to your environments remains isolated from the public internet.

Use this guide to configure a private connection between the Workato multi-tenant cloud and an Azure Virtual Network (VNet) using Azure Private Link.

# Connection structure

Azure Private Link connections to Workato use a three-tier architecture:

  1. A consumer VNet connects through either a Private Link APIM gateway (apim.workatopc.com) or an on-prem agent that creates websocket tunnels using private SG3/SG4 gateways.

  2. The Transit VNet uses a site-to-site VPN that spans multiple Availability Zones to connect to the Workato Transit Virtual Private Cloud (VPC).

  3. The Transit VPC connects to the Workato Platform VPC using Private Link endpoints.

The following diagram shows the connection structure of the consumer VNet to Workato VPC Private Link setup:

flowchart LR %% Graphs subgraph Customer["Customer Azure VNet"] Invisible_Node_0:::hidden direction LR Customer_OPA[Workato On Prem Agent] Customer_SG3[Private Link SG3] Customer_SG4[Private Link SG4] Customer_APIM[Private Link APIM] Customer_SAP[SAP - On Prem] Customer_Postgres[PostgreSQL] end subgraph Transit["Workato Azure Transit VNet"] direction LR Transit_SG3[Private Link <br> Endpoint Service <br> SG3] Transit_SG4[Private Link <br> Endpoint Service <br> SG4] Transit_APIM[Private Link <br> Endpoint Service <br> APIM] end subgraph Workato_AWS_Cloud["Workato AWS Cloud"] direction LR Invisible_Node_1:::hidden subgraph Transit_VPC["Workato Transit VPC"] Private_Link[Private Link] Invisible_Node_3:::hidden end subgraph WP["Workato Platform VPC"] direction LR WP_Webhooks[Webhooks Gateway] WP_On_Prem_Gateway[On-prem Gateway] WP_Gateway[API Gateway] WP_App[Workato Application] end end %% Connections Customer_OPA --> Customer_Postgres & Customer_SAP & Customer_SG3 & Customer_SG4 Customer_SG3 <-->|SG3 websocket tunnel| Transit_SG3 Customer_SG4 <-->|SG4 websocket tunnel| Transit_SG4 Customer_APIM -->|Private Link APIM| Transit_APIM Transit -->|Site-to-site VPN <br> with multiple <br>Availability Zones| Private_Link Private_Link-->|Private Link| WP %% Invisible connections Transit_APIM---Invisible_Node_3---WP_App Invisible_Node_0---Invisible_Node_1 linkStyle 9,10,11 stroke-width:0px; %% Classes classDef AWS_Boxes fill:#fff,stroke:#67eadd,stroke-width:2px; class Customer_AWS_Cloud,Workato_AWS_Cloud AWS_Boxes classDef WorkatoTeal fill:#67eadd,stroke:#b3e0e1,stroke-width:2px,color:#000; class WP_Webhooks,WP_On_Prem_Gateway,WP_Gateway,WP_App,Transit_APIM,Transit_SG3,Transit_SG4,Customer_OPA,Customer_SG3,Customer_SG4,Customer_APIM,Customer_SAP,Customer_Postgres,Private_Link WorkatoTeal classDef SubgraphDash fill:#e1fffc,stroke:#f66,stroke-width:2px,color:#000,stroke-dasharray: 5 5 class Customer,Transit,WP,Transit_VPC SubgraphDash classDef hidden display: none;

# Connect a consumer VNet to the Workato VPC

Connecting a consumer VNet to the Workato VPC using Azure Private Link consists of the following steps:

# Submit a ticket

Submit a ticket to enable Private Link in the Workato Success Center (opens new window). Include your Azure subscription ID in the ticket description. Refer to the Microsoft Get subscription and tenant IDs in the Azure portal (opens new window) guide to retrieve your subscription ID.

Save the Resource IDs and DNS names provided by Workato. For example:

Complete the following steps to create each of the required Azure Private Link endpoints:

1

Open the Microsoft Azure portal and go to Network foundation > Private Link > Private endpoints. Azure Private endpoints pageAzure Private endpoints page

2
Create an endpoint
1

Click + Create.

2

Select a Subscription and Resource group. Basics page configurationBasics page configuration

3

Enter a Name for the endpoint, such as APIM, SG3, or SG4. The Network Interface Name field is filled in automatically.

4

Optional. Edit the Network Interface Name. This field is generated automatically based on the provided Name.

5

Select the Region for your Azure VNet.

6

Click Next: Resource.

7

Set the Connection method to Connect to an Azure resource by resource ID or alias. Resource page configurationResource page configuration

8

Enter the Resource ID provided by Workato.

9

Click Next: Virtual Network, then select the Virtual network that you plan to use. Virtual Network page configurationVirtual Network page configuration

10

Click Next: DNS, then set Integrate with private DNS zone to No.

11

Go to the Review + create tab and ensure the information displayed is correct.

12

Click Create to create the endpoint.

3
Create a private DNS zone
1

Go to Network foundation > DNS > Private DNS zones The Private DNS zones pageThe Private DNS zones page

2

Click + Create.

3

Select a Subscription and Resource group. Basics page configurationBasics page configuration

4

Enter the DNS name provided by Workato in the Name field. For example apim.workatopc.com.

5

Go to the Virtual Network Links tab.

6

Click + Add Virtual Network Link.

7

Provide the Link name, Subscription, and Virtual Network for the zone.

8

Click Create.

9

Go to the Review + create tab and ensure the information displayed is correct.

10

Click Create to create the zone.

4
Create a recordset
1

Select the newly created zone. Select the newly created zoneSelect the newly created zone.

2

Go to DNS Management > Recordsets. Go to DNS Management > Recordsets.Go to DNS Management > Recordsets.

3

Click + Add.

4

Enter a Name for the recordset and enter the endpoint's Private IP in the IP address field. You can retrieve an endpoint's Private IP on the Network foundation > Private Link > Private endpoints page.

5

Click Add.

5

Wait for Workato to accept the endpoints and set them to Active. You can view an endpoint's status on the Network foundation > Private Link > Private endpoints page. Pending endpointsPending endpoints

# Configure an OPA connection

Workato uses OPA to create websocket tunnels from the consumer VNet to the Workato Transit VNet using the SG3 and SG4 gateways. Refer to the Connection structure section for more information.

Complete the following steps to configure OPA for Azure Private Link:

1

Install an on-prem agent on a machine within the consumer VNet. Refer to the Add an agent to an on-prem group guide to install an OPA.

2

Ensure the machine running the OPA can reach the private SG3 and SG4 gateways over port 443. Firewalls or proxies that block outbound HTTPS can prevent the agent from connecting. Refer to the Set up proxy access for your on-prem agent guide for more information about OPA proxy settings.

3

Complete the following OS-specific steps to configure the OPA's activation parameters:

4

Activate the on-prem agent. The agent automatically connects to the SG3 and SG4 private link gateways. Refer to the Run an on-prem agent guide for information about how to activate OPA for your operating system.

# Configure an API platform connection

Use the Private Link DNS for your datacenter to access API endpoints using Private Link. For example, use the apim.workatopc.com DNS instead of the standard Workato apim.workato.com DNS. Ensure the machine making the request can reach the private APIM gateway. Firewalls or proxies that block outbound HTTPS can cause the request to fail.

AWS PrivateLink
On-prem agent


Last updated: 8/11/2025, 7:21:13 PM

On this page