Azure service endpoints provide the ability for Azure administrators to expose certain Azure services directly inside a VNet. This improves security by extending your VNet identity to the service and removes public Internet access to the resources. It also improves optimizes the network routing by allowing resources within the VNet to directly access the service via the Azure backbone. Without service endpoints, it can take a range of network hops to get to the resource — in the image below, it took 9 hops from within the West Central VNet to access a storage account in West Central.
After implementing service endpoints, this drops to 2 hops:
Even with the security and performance benefits of service endpoints, there was still a problem. When you exposed a service via service endpoints, you exposed the entire service rather than your specific instances. What this means is that a malicious insider could create a storage account on their personal subscription and use it to exfiltrate data via the service endpoint in a different subscription.
In the screenshot below, I illustrate this — I created a blob storage account named inappropriate.blob.core.windows.net in my personal Azure subscription. I’ve also created a blob storage account named appropriate.blob.core.windows.net in a separate, ‘secure’ subscription. As you can see, both endpoints are accessible from within the VNet.
Currently in public preview in West Central US and West US 2 regions, Virtual Network Service Endpoint Policies provides administrators the ability to lock down service endpoint access to specific endpoints or to endpoints within their subscription. To create an endpoint policy, from the portal navigate to ‘Create a resource’ > ’Service Endpoint Policy’ and follow the wizard to create the desired policy.
After that, you need to apply the policy to the subnet that the service endpoints reside in. Navigate into the Virtual Network and then the Subnet — there’s a setting called ‘Service endpoint policies’ where you should be able to select the previously created Service Endpoint Policy.
After you select it and click ‘Save,’ the policy will be applied to that subnet and you will be blocked from accessing unauthorized services via a 403.
Have you evaluated Service Endpoint Policies? If so, I’d love to hear what you think!