Virtual network service endpoints
This article explains Azure Virtual Network (VNet) service endpoints, including how they work and how to enable them.
Note: Service endpoints are a simple way to secure Azure service resources to your virtual network. They extend the private address space of your VNet and the identity of your VNet to the Azure service over a direct connection. For more advanced connectivity and security needs, consider Azure Private Link.
What are Service Endpoints?
Virtual network service endpoints provide secure and direct connectivity to supported Azure services over the Azure backbone network. They extend the virtual network's private address space and identity to the Azure service without requiring public IP addresses for the Azure services. This means your resources in a VNet can connect to Azure services using private IP addresses, enhancing security by ensuring that traffic stays within the Azure network.
How Service Endpoints Work
When you enable service endpoints for a specific Azure service on a subnet, traffic from that subnet to the Azure service is routed directly over the Azure backbone network. The traffic bypasses the public internet, ensuring a more secure and often more performant connection. The Azure service is then able to identify the traffic as originating from your VNet, allowing you to configure access control rules based on VNet service endpoints.
Key Benefits:
- Enhanced Security: Traffic stays on the Azure backbone, never traversing the public internet.
- Simplified Network Configuration: No need to manage public IP addresses for Azure services for VNet access.
- Improved Performance: Direct connection often results in lower latency and higher throughput.
- Granular Access Control: Restrict access to Azure services to only specific VNets and subnets.
Supported Azure Services
Service endpoints are supported by a growing list of Azure services, including but not limited to:
- Azure Storage (Blob, Files, Tables, Queues)
- Azure SQL Database
- Azure Cosmos DB
- Azure Key Vault
- Azure Data Lake Storage Gen2
For a complete and up-to-date list, please refer to the official Azure documentation on supported services.
Enabling Service Endpoints
You can enable service endpoints on a subnet for a supported service either during VNet creation or by updating an existing subnet.
Steps to Enable (Portal):
- Navigate to your Virtual Network in the Azure portal.
- Select the subnet you wish to configure.
- Under "Service endpoints," select the desired Azure service from the dropdown.
- Click "Save."
Example using Azure CLI:
az network vnet subnet update \
--resource-group MyResourceGroup \
--vnet-name MyVNet \
--name MySubnet \
--service-endpoints Microsoft.Storage
Configuring Access Control
Once service endpoints are enabled, you can configure the firewall settings of the supported Azure service to allow access from your virtual network's subnets. This is typically done by adding a virtual network rule to the service's firewall.
Tip: When you enable service endpoints, ensure that you also configure the firewall on the Azure service resource to permit traffic from your VNet. Otherwise, access will be denied.
Service Endpoints vs. Private Endpoints
While both provide secure connectivity to Azure services, they differ:
- Service Endpoints: Extend VNet identity to Azure services over the Azure backbone. Traffic stays within Azure. Simpler to configure for broad service access.
- Private Endpoints: Provide a dedicated private IP address from your VNet for an Azure service. Traffic is routed through your VNet to the service. Offers more granular control and allows access to services that may not support service endpoints directly.
Choosing between them depends on your specific security and networking requirements.
Important: Service endpoints route traffic over the Azure backbone to the public endpoint of the Azure service. Private endpoints route traffic through your VNet to a private IP address of the Azure service.