Testing Service Endpoint Policies in Azure

Azure service endpoints provide the ability for Azure administrators to expose certain Azure services directly inside a VNet. This improves security by extending your VNet identity to the service and removes public Internet access to the resources. It also improves optimizes the network routing by allowing resources within the VNet to directly access the service via the Azure backbone. Without service endpoints, it can take a range of network hops to get to the resource — in the image below, it took 9 hops from within the West Central VNet to access a storage account in West Central.

Image for post
Image for post
Did you know you can get network hops from nmap inside Azure?

After implementing service endpoints, this drops to 2 hops:

Image for post
Image for post

Even with the security and performance benefits of service endpoints, there was still a problem. When you exposed a service via service endpoints, you exposed the entire service rather than your specific instances. What this means is that a malicious insider could create a storage account on their personal subscription and use it to exfiltrate data via the service endpoint in a different subscription.

In the screenshot below, I illustrate this — I created a blob storage account named inappropriate.blob.core.windows.net in my personal Azure subscription. I’ve also created a blob storage account named appropriate.blob.core.windows.net in a separate, ‘secure’ subscription. As you can see, both endpoints are accessible from within the VNet.

Image for post
Image for post
I’m very creative in my sample data.

Currently in public preview in West Central US and West US 2 regions, Virtual Network Service Endpoint Policies provides administrators the ability to lock down service endpoint access to specific endpoints or to endpoints within their subscription. To create an endpoint policy, from the portal navigate to ‘Create a resource’ > ’Service Endpoint Policy’ and follow the wizard to create the desired policy.

Image for post
Image for post
The wizard even populates the values for you.
Image for post
Image for post

After that, you need to apply the policy to the subnet that the service endpoints reside in. Navigate into the Virtual Network and then the Subnet — there’s a setting called ‘Service endpoint policies’ where you should be able to select the previously created Service Endpoint Policy.

Image for post
Image for post

After you select it and click ‘Save,’ the policy will be applied to that subnet and you will be blocked from accessing unauthorized services via a 403.

Image for post
Image for post

Have you evaluated Service Endpoint Policies? If so, I’d love to hear what you think!

Written by

Now: Cloud Solution Architect @microsoft. Previously: Cloud Solution Architect / Open Stack Product Owner / Kubernetes Product Owner at @ Fortune 50.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store