Here is the fifth episode of my AZ-303 study notes series.
Video Notes
Service Endpoints
Azure virtual network service endpoints
What are Service Endpoints?
They are a type of configuration that allow us to integrate different services with our VNets. We are providing the private IP address information to the service through the Microsoft backbone.
Why use them?
- They provide private and low latency connectivity for services by utilizing backbone routing. This means traffic between the resources in your VNet and connected services only traverses the secure Microsoft backbone.
- Many Azure services are built for public accessibility, when you place a firewall in front of the service and utilize a service endpoint, you can remove that public accessibility.
Let's create a service endpoint
Not all services support service endpoints. We can use this Cloud Shell command to list which services we can use with Service EndPoint:
az network vnet list-endpoint-services -o table \
--location "East US 2"
Keep in mind that Service endpoints are enabled per subnet. Let's add a service endpoint for Microsoft.Storage:
az network vnet subnet update --name "default" \
--vnet-name "vnet1" \
--resource-group "integrated-networking-demo-rg" \
--service-endpoints "Microsoft.Storage"
Let's take a look at what changes. If we visit a VM within the subnet where we created the service endpoint, in the effective routes options we can now see new default route entries, it establishes a different route the for specific services.
Private Link
What is Private Link?
What is an Azure Private Endpoint?
Very similar to Private Endpoints, it enables secure connectivity from your VNet to other services, but it also provides some additional features:
- Provides a private IP address to access supported services by.
- Can be used for services that are customer or partner owned. In case you have an on-prem service you'd like to provide private connectivity to.
- Private Link works cross-region.
- Granular protection against by supporting mapping to specific services.
- You don't need a dedicate subnet to deploy it.
Architecture
- Private Endpoints: The network interface that connects to a supported service. It receives a private IP address from the registered subnet and is configured with DNS.
- Connected Resources: The Azure PaaS resource associated with a Private Link.
- Private Link Service: Customer managed service operating behind a standard load balancer, enabled for Private Link.
Thanks for tuning in.
I plan on creating more content around Azure; it's great to share what I've been learning.
If you have any feedback at all, please let me know in the comments below or reach out to me on socials.
Thanks for reading and possibly watching!
Top comments (0)