Azure Virtual Network Service Endpoints

Azure Virtual Network (VNet) service endpoints provide a secure and direct connection from your virtual network to supported Azure services over the Azure backbone network. Service endpoints extend your private IP address space and the identity of your virtual network to the Azure service. This connection happens without the need for an internet gateway, NAT device, or special VPN connection.

Tip: Service endpoints are a key component for securing your Azure services by restricting access to only your virtual networks.

How Service Endpoints Work

When you enable service endpoints for a specific Azure service (like Azure Storage or Azure SQL Database) on a subnet within your virtual network, traffic destined for that service from that subnet is routed directly to the Azure service over the Azure backbone. The source IP address in the traffic is preserved as the private IP address of the VM or resource within your virtual network.

The Azure service then sees the traffic originating from your virtual network's IP address range and can enforce access policies based on your virtual network and subnet. This eliminates the need for public IP addresses for your resources when accessing these services.

Supported Azure Services

As of now, service endpoints are supported for the following Azure services:

Azure Storage (Blob, Files, Queues, Tables)
Azure SQL Database
Azure Cosmos DB
Azure Key Vault
Azure Data Lake Storage Gen2
Azure Event Hubs
Azure Service Bus
Azure PostgreSQL
Azure MySQL
Azure MariaDB
Azure Functions (when accessing Azure Storage)

The list of supported services is continually growing. Refer to the official Azure documentation for the most up-to-date list.

Benefits of Service Endpoints

Enhanced Security: Restrict access to Azure services to only traffic originating from your virtual network subnets.
Simplified Management: No need to manage public IP addresses or complex network configurations for service access.
Improved Performance: Traffic travels over the Azure backbone, offering lower latency and higher throughput.
Cost-Effective: Avoids data transfer costs associated with public internet.

Enabling Service Endpoints

You can enable service endpoints for a subnet using the Azure portal, Azure CLI, or Azure PowerShell:

Azure Portal:

Navigate to your Virtual Network.
Under "Settings", select "Subnets".
Click on the subnet you want to configure.
In the subnet configuration pane, find the "Service endpoints" section.
Select the desired service from the dropdown and click "Save".

Azure CLI Example:

az network vnet subnet update \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --name MySubnet \
    --service-endpoints Microsoft.Storage

Azure PowerShell Example:

Add-AzVirtualNetworkSubnetConfig -Name "MySubnet" -AddressPrefix "10.0.1.0/24" -ServiceEndpoint "Microsoft.Storage"
Set-AzVirtualNetwork -VirtualNetwork -VirtualNetworkSubnetConfig @{Name="MySubnet"; AddressPrefix="10.0.1.0/24"; ServiceEndpoint="Microsoft.Storage"}

Note: After enabling service endpoints, you must configure the access policies on the target Azure service to allow access from your virtual network or specific subnets.

Limitations

Service endpoints are only available for specific Azure services.
They do not provide connectivity to services over the public internet.
Traffic still originates from a public IP address of the Azure service endpoint, but the security is managed at the service level via VNet rules.