Private Access to Azure Services with Virtual WAN

This document explains how to enable private access to Azure platform services (like Azure Storage, Azure SQL Database, etc.) directly from your Virtual WAN network. This allows you to secure your data and reduce exposure to the public internet.

Note: Private access to Azure services is a key feature for hybrid cloud connectivity, ensuring that traffic between your on-premises networks, Azure VNets, and Azure services stays within the Microsoft network backbone.

Understanding Private Access

Traditionally, accessing Azure services required traversing the public internet. With private access, you can configure your network to route traffic destined for Azure services through Azure's backbone network. This is achieved using features like Private Endpoints and Service Endpoints, integrated with Virtual WAN.

Methods for Private Access

Azure Virtual WAN supports two primary mechanisms for enabling private access to Azure services:

1. Using Private Endpoints

Private Endpoints provide a way to consume Azure PaaS services (like Storage, SQL Database, Key Vault, etc.) over a Private IP address within your virtual network. When used with Virtual WAN, traffic originating from your on-premises networks or other connected VNets can reach these services privately.

How it works: A Private Endpoint creates a network interface in your virtual network (connected to Virtual WAN) that gets a private IP address. Traffic sent to this private IP is routed directly to the Azure service without traversing the public internet.
Benefits:

Enhanced security by keeping traffic off the public internet.
Simplified network architecture.
Secure access from on-premises networks via Virtual WAN.

Configuration:

Create a Private Endpoint for the Azure service in a VNet connected to your Virtual WAN hub.
Ensure proper DNS resolution is configured to resolve the service FQDN to the Private Endpoint's IP address.
Traffic from on-premises will be routed through the Virtual WAN hub to the VNet containing the Private Endpoint.

2. Using Service Endpoints

Service Endpoints extend the private address space of your virtual network to Azure services. They are a simpler alternative to Private Endpoints for certain services and offer a more direct route over the Azure backbone.

How it works: When you enable a Service Endpoint for a service (e.g., Azure Storage) on a subnet of a VNet connected to Virtual WAN, traffic destined for that service from that subnet will be routed directly to the Azure service over the Azure backbone.
Benefits:

Simpler configuration compared to Private Endpoints.
Secures access from VNets connected to Virtual WAN.
Traffic stays on the Microsoft network.

Considerations:

Service Endpoints are configured at the subnet level within a VNet.
Access from on-premises to services using Service Endpoints relies on the VNet peering and routing through the Virtual WAN hub.
The service itself needs to be configured to accept traffic from the VNet's Service Endpoint.

Configuration:

Enable the Service Endpoint for the desired Azure service on subnets of VNets connected to your Virtual WAN hub.
Configure firewall rules on the Azure service to allow access from the VNet/subnet.

Virtual WAN Hub Integration

The Virtual WAN hub acts as the central transit point for all your network traffic, including traffic destined for Azure services. Whether you use Private Endpoints or Service Endpoints in your connected VNets:

The hub ensures that traffic from your on-premises sites can be routed to these private endpoints.
The hub facilitates traffic flow between different VNets and to services residing in VNets connected to the hub.

DNS Resolution

Proper DNS resolution is critical for private access. For Private Endpoints, you'll typically use Azure Private DNS Zones to map the service's fully qualified domain name (FQDN) to the Private Endpoint's IP address. For Service Endpoints, standard Azure DNS or your custom DNS solution needs to correctly resolve the service name.

Tip: Leverage Azure Private DNS Zones integrated with your Virtual WAN hub for seamless DNS resolution of Private Endpoints across your connected networks.

Use Cases

Securely accessing Azure Storage accounts from on-premises applications.
Connecting your on-premises databases to Azure SQL Database without public exposure.
Providing private access to Azure Key Vault for secrets management from your branch offices.

Next Steps

To implement private access to Azure services with Virtual WAN, consider the following: