Azure private endpoints vs service endpoints

Azure is a public cloud offering so you connect to azure services over the public internet. You may not want your applications to connect to azure services over the public internet for security or performance reasons. So it is very important to secure this communication. In this article, we are going to talk about two approaches using which you can route your traffic to publicly available azure services, through azure backbone network. These are — Azure private endpoint and service endpoint.

Before we jump into these, let’s understand what are virtual networks in azure.

Virtual network

A virtual network or VNet is a private network in your azure tenant. VNet allows different azure resources to talk to each other, to the internet or your on-premises network.

VNet uses IP address range, just like your on-premises networks. Each VNet has at least one subnet, which is portion of the virtual network’s address space divided into smaller segments. Virtual machines in your VNet have one or more network interface cards (NICs) in the same region as the virtual network. NIC gets an IP address from a subnet in the virtual network. This allows the virtual machine to communicate with other resources in the virtual network or any peered network.

What are private endpoints?

Resources like virtual machines have a presence in a virtual network through virtual NICs, other services like databases, storage accounts etc. do not have it. If you have a virtual machine resource accessing these services, those VMs connect using the service’s public IP addresses.

However, you can attach these services to your virtual network using a private IP (private endpoint). A private endpoint is a virtual network interface that connects to the Azure service. This network interface uses a dynamically assigned private IP address from the VNet address range. The network interface resource keeps the same private IP address for the entire lifecycle of the private endpoint.

The private endpoint allows a network resource (like a virtual machine) to access a PaaS service via the private IP address. The connection to the service is then private and secured by Azure Private Link.

Below is image showing relation between a private endpoint and a virtual network. There is a virtual network (address range 10.0.0.1/16). Inside this there is a subnet (range 10.0.1.0/24) with a VM (10.0.1.5). Storage account has a private endpoint with an IP address of 10.0.1.4 inside the subnet. The virtual machines inside the subnet access the storage account through the storage account’s private endpoint IP address located in the subnet.

Other networks which are connected to this VNet can access this private endpoint using it’s private IP. Example: Another peered VNet or on-premises network connected to the VNet using VPN or Express Route.

Few more points related to private endpoint:

1. Private endpoints are deployed to the same region and subscription as the virtual network.
2. You can create multiple private endpoints on the same or different subnets within the same virtual network.
3. Clients initiate connections to the private endpoint and related service, but the service cannot establish a connection to the client. Connections are single direction only
4. Once you establish a private endpoint for a resource instance, you can disable public access to the resource as an additional security measure.

What are service endpoints?

Service endpoints provide a secure and direct connection to Azure services using Azure backbone network.

While private endpoints are associated with a specific instance of an Azure service (like a storage account), service endpoints on the other hand apply to all instances of a target service (eg. Microsoft.Storage). Service endpoints ensures VNet traffic doesn’t go over public internet and is routed through azure backbone network. You enable service endpoints for each azure service on a subnet in a virtual network.

The resources in your VNet use their private IP address when connecting to Azure service behind the service endpoint. However, the resources connect to the public IP addresses of the Azure service. This public connection is different from a private endpoint (where the resources connect to a private IP address assigned to a specific instance of the Azure service).

You no longer need public IP addresses on outbound firewalls when you enable service endpoints on a subnet. Without service endpoints, a resource, like a virtual machine, uses the public IP address on the firewall as the source IP address.

See the below image showing a service endpoint in action. We have enabled a service endpoint for the Microsoft.Storage service on a subnet. A virtual machine in the subnet uses its private IP address to access the storage account (eg. storage account 2). The virtual machine connects using the public IP addresses associated with the Microsoft.Storage service.

Few more points related to private endpoint:

1. Service endpoints work with any resource instance running within the enabled subnet.
2. You can add multiple service endpoints on a subnet.
3. You can limit access to the service endpoint to a specific resource or service using service tags.

Hope this article helped you in some or other ways. Please comment for any query or feedback.

Happy learning. Cheers!