Azure Service Endpoints

This page explains how to set up and use Azure Service Endpoints to secure and optimize access to Azure services from your virtual network.
Tags:

  3 minute read  

Technical Overview

Azure Service Endpoints provide secure and direct connectivity to Azure services over an optimized route over the Azure backbone network instead of the public Internet. By enabling Service Endpoints, you can restrict access to your Azure service resources to only your virtual network, improving security and reducing exposure to the public internet.

Service endpoints

  • Azure Storage: Provides secure access to storage accounts.
  • Azure SQL Database: Enables private connectivity to SQL databases.
  • Azure Synapse Analytics: Supports dedicated SQL pools.
  • Azure Database for PostgreSQL, MySQL, and MariaDB: Offers secure access to these database services.
  • Azure Cosmos DB: Facilitates private connectivity to Cosmos DB.
  • Azure Key Vault: Secures access to key vaults.
  • Azure Service Bus: Provides private access to messaging services.
  • Azure Event Hubs: Enables secure access to event streaming services.
  • Azure App Service: Supports private connectivity to web apps.
  • Azure Cognitive Services: Offers secure access to AI services.
  • Azure Container Registry (Preview): Provides private access to container registries.

These endpoints allow private IP addresses in your virtual network to securely connect to Azure services without requiring public IPs.

Key Components

When using a remote network, Service Endpoints have some limitations:

Limited to Virtual Networks: Service Endpoints only secure access from the Azure Virtual Network (VNet) where they are enabled. They do not extend to on-premises networks connected via ExpressRoute.

Public IP Dependency: While Service Endpoints allow private IP addresses in the VNet to access Azure services, they still rely on the service’s public IP address. This means traffic from your on-premises network to the storage account via ExpressRoute won’t benefit from Service Endpoints.

Private Endpoints as an Alternative: To securely access a storage account from both your VNet and on-premises network, Private Endpoints are recommended. Private Endpoints assign a private IP address within your VNet, ensuring secure access from both the VNet and ExpressRoute-connected networks.

Implementation Details

1. Enable Service Endpoints

  1. Go to the Azure portal.
  2. Navigate to “Virtual Network” > “Service Endpoints”.
  3. Select the VNet where you want to enable Service Endpoints.
  4. Click “Add” and select the Azure service (e.g., Microsoft.Storage) and the specific subnets you want to enable Service Endpoints for.
  5. Click “Save” to apply the changes.

2. Configure Service Access on the Resource

  1. Go to the Azure portal and navigate to the resource you want to secure (e.g., an Azure Storage account).
  2. Select “Networking” under the “Settings” section.
  3. Click “Firewalls and virtual networks”.
  4. Under “Virtual networks”, select the “Add existing virtual network” option.
  5. Choose the VNet and specific subnets you configured with Service Endpoints.
  6. Click “Save” to apply the changes.

Use Cases

Real-World Example:

Scenario: A financial institution wants to securely access its Azure Storage accounts from its virtual network and on-premises network without exposing the storage accounts to the public internet.

Implementation:

  • Virtual Network: The institution’s VNet is configured with Service Endpoints enabled for Microsoft.Storage.
  • Service Access Configuration: Azure Storage accounts are configured to accept traffic only from the specified subnets in the VNet.
  • Private Endpoints: Used to provide secure access from both the VNet and the on-premises network.

Benefits:

  • Enhanced security by restricting access to Azure Storage accounts to the VNet and on-premises network.
  • Optimized routing of traffic over the Azure backbone network.
  • Reduced exposure to the public internet.

Challenges:

  • Ensuring proper configuration of Service Endpoints, Private Endpoints, and resource settings.
  • Monitoring and maintaining connectivity and security settings.

Pricing

Azure Service Endpoints are included with your Azure subscription and do not incur additional charges. However, you may incur costs for other Azure services used in conjunction with Service Endpoints.

Cost-Effective Tips:

  • Optimize Network Security: Ensure that Network Security Groups (NSGs) are configured efficiently to minimize unnecessary traffic.
  • Monitor Usage: Regularly review and monitor network traffic to identify and address any issues promptly.

Resources


Last modified March 28, 2025: refine caf guidelines (eae1633)