Azure Virtual Network

What are Virtual Network Service Endpoints?

Virtual network service endpoints extend your private address space and the identity of your virtual network to the Azure service over a direct connection. This connection uses the shortest path over the Azure backbone network.

Service endpoints provide:

• Enhanced Security: Traffic from your virtual network to the Azure service travels over the Azure backbone, not the public internet. Access to the service is restricted to only your virtual network.
• Optimized Routing: Traffic takes the most optimal path within the Azure network.
• Simplified Management: You don't need to manage public IP addresses for your virtual network to access Azure services.
• Service-Specific Endpoints: You can enable service endpoints for specific Azure services like Azure Storage, Azure SQL Database, Azure Cosmos DB, and Azure Key Vault.

How do they work?

When you enable service endpoints for a specific Azure service on a subnet within your virtual network, traffic destined for that service from that subnet is automatically routed directly to the service over the Azure backbone.

Imagine you have a virtual machine in a subnet and you want to access Azure Blob Storage. Without service endpoints, the traffic might go over the public internet. With service endpoints enabled for Storage on that subnet:

1. The virtual machine's traffic to Blob Storage is flagged as originating from your virtual network.
2. The Azure backbone network directs this traffic securely and privately to the Blob Storage service.
3. You can configure the firewall of the Blob Storage account to allow access *only* from your specific virtual network's subnets.

This is achieved by extending the virtual network's address space to the Azure service. For example, when you enable service endpoints for Azure Storage on a subnet, the subnet's address range is advertised to Azure Storage.

Key Benefits

Supported Services

Service endpoints are supported for a growing list of Azure services, including:

• Azure Storage (Blob Storage, Files, Queues, Tables)
• Azure SQL Database
• Azure Cosmos DB
• Azure Key Vault
• Azure Event Hubs
• Azure Service Bus
• Azure Data Lake Storage Gen2
• And more...

For the most up-to-date list, please refer to the official Azure documentation.

Configuration Example

To configure service endpoints, you typically perform the following steps in the Azure portal or using Azure CLI/PowerShell:

1. Navigate to your Virtual Network.
2. Go to the Subnets blade.
3. Select the subnet you want to configure.
4. In the subnet settings, find the "Service endpoints" option.
5. Choose the desired service (e.g., "Microsoft.Storage").
6. Save the changes.

Additionally, you would configure the firewall of the target Azure service to allow access from your virtual network subnet.

For example, for Azure Storage, you would go to the "Networking" settings of the storage account, select "Private endpoints and public access", and then choose "Add existing virtual networks".

# Example using Azure CLI to enable Microsoft.Storage service endpoint on a subnet
az network vnet subnet update \
    --resource-group MyResourceGroup \
    --vnet-name MyVnet \
    --name MySubnet \
    --service-endpoints Microsoft.Storage
                

When to use Service Endpoints vs. Private Endpoints

While both provide secure connectivity, they serve different purposes:

• Service Endpoints: Ideal for securing access to Azure platform services directly from your VNet. Traffic remains on the Azure backbone.
• Private Endpoints: Provide a private IP address from your VNet for an Azure service, making it appear as if it's deployed within your VNet. This is useful when you need a specific private IP or when connecting from on-premises through a VPN/ExpressRoute to a service that doesn't support service endpoints.