Azure Documentation

Azure Virtual Network Service Endpoints

Azure Virtual Network service endpoints extend your private IP address space and the identity of your VNet to the Azure services. Service endpoints enable you to select Azure services, such as Azure Storage and Azure SQL Database, over a direct connection from your virtual network and secure the internet-bound traffic by using only private IP addresses from your VNet. Traffic from your VNet to the selected Azure service still travels through the Azure backbone network but not over the public internet.

What are Service Endpoints?

Service endpoints provide a secure and direct connection from your virtual network to supported Azure services. They work by adding a subnet to a virtual network that has the service endpoint enabled. This effectively extends the IP address space of your virtual network to the Azure service.

• Enhanced Security: Service endpoints restrict access to Azure services to only your virtual network.
• Optimized Routing: Traffic to the Azure service is routed directly over the Azure backbone network, bypassing the public internet.
• Simplified Management: Reduces the need for public IP addresses for accessing Azure services.

Supported Services

Service endpoints are currently supported for the following Azure services:

• Azure Storage (Blob Storage, File Storage, Queue Storage, Table Storage)
• Azure SQL Database
• Azure Cosmos DB
• Azure Key Vault
• Azure Data Lake Storage Gen1
• Azure Service Bus
• Azure Event Hubs

Benefits of Using Service Endpoints

• Secure access to Azure services: You can lock down your Azure services to only accept connections from your virtual network.
• Improved performance: Traffic between your virtual network and the Azure service stays on the Azure backbone, reducing latency.
• Simplified network configuration: You don't need to manage complex firewall rules for public IP addresses.

Enabling Service Endpoints

You can enable service endpoints at the subnet level in your virtual network. This is typically done through the Azure portal, Azure CLI, or Azure PowerShell.

Azure Portal Example:

1. Navigate to your virtual network.
2. Go to the 'Subnets' section.
3. Select the subnet you want to configure.
4. In the subnet settings, find the 'Service endpoints' option.
5. Select the desired service from the dropdown and click 'Save'.

Azure CLI Example:

az network vnet subnet update \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --name MySubnet \
    --service-endpoints Microsoft.Storage
            

Key Considerations

• Service endpoints are enabled on a per-subnet basis.
• When enabled, the service endpoint configures firewall rules for the Azure service to allow traffic originating from that specific subnet.
• Ensure your application's firewall rules for the Azure service are updated to include the VNet service endpoint.

For more detailed information and advanced configurations, please refer to the official Azure documentation.