Service endpoints – Network Connectivity and Security
Many services are exposed via a public address or URL. For example, Blob Storage is accessed via <accountname>.blob.core.windows.net. Even if your application is running on a VM connected to a VNET, communication to the default endpoint will be the public address, and full access to all IPs, internal and external, is allowed.
For public-facing systems, this may be desirable; however, if you need the backend service to be protected from the outside and only accessible internally, you can use a service endpoint.
Service endpoints provide direct and secure access from one Azure service to another over the Azure backbone. Internally, the service is given a private IP address, which is used instead of the default public IP address. Traffic from the source is then allowed, and external traffic becomes blocked, as we see in the following example:
Figure 8.8 – Protecting access with service endpoints
Although using service endpoints enables private IP addresses on the service, this address is not exposed or manageable by you. One effect of this is that although Azure-hosted services can connect to the service, on-premises systems cannot access it over a VPN or ExpressRoute. For these scenarios, an alternative solution called a private endpoint can be used, which we will cover in the next sub-section, or using an ExpressRoute with Microsoft peering using a NAT IP address.
Important Note
When you set up an ExpressRoute into Azure, you have the option of using Microsoft peering or private peering. Microsoft peering ensures all connectivity in the Office 365 platform. Azure goes over the ExpressRoute instead of private peering, sending only traffic destined for internal IP ranges to use the ExpressRoute. In contrast, public services are accessed via public endpoints. The most common form of connectivity is private peering; Microsoft peering is only recommended for specific scenarios. See https://docs.microsoft.com/en-us/microsoft-365/enterprise/azure-expressroute?view=o365-worldwide for more details.
To use service endpoints, the service itself must be enabled on the subnet, and the service you wish to lock down must have the public network option turned off and the source subnet added as an allowable source.
Important Note
Service endpoints ignore NSGs – therefore, any rules you have in place and attached to the secure subnet are effectively ignored. This only affects the point-to-point connection between the subnet and the service endpoint. All other NSG rules still hold.
At the time of writing, the following Azure services support service endpoints:
- Azure Storage
- Azure Key Vault
- Azure SQL Database
- Azure Synapse Analytics
- Azure PostgreSQL Server
- Azure MySQL Server
- Azure MariaDB
- Azure Cosmos DB
- Azure Service Bus
- Azure Event Hubs
- Azure App Service
- Azure Cognitive Services
- Azure Container Registry
To enable service endpoints on a subnet, in the Azure portal, go to the properties of the VNET you wish to use, select the Subnets blade on the left-hand menu, then select your subnet. The subnet configuration window appears with the option to choose one or more services, as we can see in the following screenshot. Once you have made changes, click Save:
Figure 8.9 – Enabling service endpoints on a subnet
Once enabled, you can then restrict access to your backend service. In the following example, we will limit access to a storage account from a subnet:
- Go to the Azure portal at https://portal.azure.com.
- In the search bar, search for and select Storage accounts.
- Select the storage account you wish to restrict access to.
- On the left-hand menu, click the Networking option.
- Change the Allow access from option from All networks to Selected networks.
- Click + Add existing virtual network.
- Select the VNET and subnet you want to restrict access to.
- Click Save.
The following screenshot shows an example of a secure storage account:
Figure 8.10 – Restricting VNET access
Once set up, any access except the defined VNET will be denied, and any traffic from services on the VNET to the storage account will now be directly over the Azure backbone.
You may have noticed another option in the Networking tab – Private endpoint connections.