Let’s Understand Azure Service Endpoint and Private Endpoint

Ankit Shivam
3 min readFeb 6, 2022

--

If you are working with Azure , you might already have heard about these services. Even if you have not heard yet , there are high chances that your organization will start using these services.

Why you need Azure Service Endpoints , Private Endpoints?

The simple answer is security. Security has been highest priority for every organization . Every organization wants their internal traffic flows throw highly secured networks . These services makes sure that traffic destined to Azure resources always stays on the Microsoft Azure backbone network. For Example: Storage account is a publicly available service ,so if you want to restrict access to storage accounts from a private network only , you will be using Azure Service Endpoints and Private Endpoints.

Lets understand use case of both services:

1. Azure Service Endpoints:

  • Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network
  • Endpoints allow you to secure your critical Azure service resources to only your virtual networks.

How to configure Service Endpoints:

Limitations of Service Endpoints:

  • Endpoints are enabled on subnets configured in Azure virtual networks. Endpoints can’t be used for traffic from your premises to Azure services.
  • Service endpoints has region limitations. For ex: Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network’s region

When to use service endpoint:

Lets assume you want to restrict access over a storage account(it can be other azure services) from a particular azure Virtual network. For Example : If your storage account is created in West Europe region , then you can restrict access to this storage account from West Europe and North Europe (Paired Regions) by enabling service endpoints over above regions Virtual network and configuring Virtual network details over storage account Networking . But if you want to restrict access to this storage account from other virtual network which are not in (West Europe and North Europe) region , you can not use Service Endpoints . In that Case , you have to use Private Endpoint .

https://docs.microsoft.com/en-us/azure/networking/fundamentals/media/networking-overview/vnet-service-endpoints-overview.png

2. Private Endpoints:

  • A private endpoint is a network interface that uses a private IP address from your virtual network.
  • This network interface connects you privately and securely to a service powered by Azure Private Link.
  • By enabling a private endpoint, you’re bringing the service into your virtual network.
  • Currently you can configure private endpoints with Storage Account, Cosmos DB , Azure SQL or own service using Private Link.

How to configure Service Endpoints(Ex: Storage Account):

When to use private endpoint:

Microsoft suggest to use private endpoint in most of the cases to restrict public access to your resources.

  • If your Azure resources are in different regions from your virtual network .
  • If you are restricting private access to your azure resource from on premise network.
  • If you want to restrict private access to your own custom service using a Private Link Service.
https://docs.microsoft.com/en-us/azure/networking/fundamentals/media/networking-overview/private-endpoint.png

Conclusion :

Service endpoint is straight forward way of directing your traffic over Azure backbone network but it has some limitations like ,it can not be enabled over non azure networks and has region constraints. Private endpoint can be seen as generic solution for private access of your azure services.

Further Reading Links:

Happy Learning !

--

--