Azure Networking — Virtual Network Service End Point
Virtual Network Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks.
Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
The VNet service endpoint feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side) limits the Azure service access to the allowed VNet and subnet, thus providing a network level security and isolation of the Azure service traffic.
All traffic using VNet service endpoints flows over Microsoft backbone, thus providing another layer of isolation from the public internet.
Moreover, customers can choose to fully remove public Internet access to the Azure service resources and allow traffic only from their virtual network through a combination of IP firewall and VNet ACLs, thus protecting the Azure service resources from unauthorized access.
Lets take storage account example and enable Service Endpoint for it.
Step 1: Create and Storage Account and confirm it is accessible through public internet.
From local laptop able to connect to Storage account → File share
Thus confirming Storage Account is accessible through public network.
Even nslookup confirms storage account file share is accessed via Public IP
Step 2: Now lets disable access over public network
Tried to test via Azure Portal — Even cannot access from Azure Portal
Step 3 : Enable Service Endpoint on VNET for access to Storage Account
Step 4: Verify not able to access from outside the Cloud VNET from my laptop
Step 5: Confirm able to access from with in the Cloud VNET via a VM
Created a VM inside the VNET
From VM within the vnet — nslookup shows public endpoint for storage account
Added the default VNET in which the VM is created
Confirming able to access storage account file share from the VM within the VNET
az storage share list — account-name serviceendpointsatoday — account-key <Storage account key>
Step 5: Exceptional use case : If you need access to Storage Account from External Public IP, example — my Laptop.
Added laptop IP to permit access to storage account as shown below:-
Able to access from my laptop
Able to access from portal too after providing Storage Account Contributor IAM role to the user
That’s about VNET Service End point……Lets keep learning together .. Lets sail together.
