Have you ever created a resource in Azure (i.e. a database or storage account) and seen the option "Allow access to Azure services". You can toggle this on and allow any Azure service to talk with your resource, assuming it is authenticated. For most, that's an acceptable practice. But what if you want to completely prevent that service from being exposed outside of your network? There's not a toggle for "Allow access to my Azure services only". Fortunately, Azure recognizes this issue and has created an offering around it called Azure Private Link.
Private Link can encapsulate your resources with a virtual network. What does this mean? You can effectively connect directly to your resources without having to ever send traffic over the public internet. It can stay fully within Microsoft's network, and provides you with a secure endpoint that only your services can connect through.
I have only touched on a few features. This service offers so much more. For example, it can also provide a secure connecting between Azure and your on premises resources or servers.
TL/DR; Use Azure Private Link to lock down your resources so that only your services can connect to them.