Hiya! Security is one of the most important topics when the discussion comes to the cloud. As an Azure architect with over a decade of experience, I’ve used most of Azure’s security features, including Service endpoints, which I’ll discuss in this post.
But wait! What does Azure Service Endpoints mean according to the definition side?
Azure Service Endpoints connect your Azure VNet to Azure services securely over the Azure backbone network, improving security and performance while simplifying your network setup.
Cool! What are the benefits now?
Service endpoints connect Azure services directly to an Azure VNet. This design allows only traffic from specific networks and removes access from the public internet. Service endpoints optimize network performance by routing Azure traffic over Microsoft’s backbone network. This efficient routing enables better outbound traffic monitoring without compromising service performance. They remove the need for special public IP addresses, NAT, or gateway devices. This makes it easier to set up and manage security for Azure resources.
Yes, is there a simple diagram to depict how this feature works?
The image below illustrates a straightforward scenario involving a service endpoint between an Azure VNet subnet and an Azure Storage account, which can be accessed exclusively through this VNet.
In which Azure services is this feature available?
The matrix below shows the Azure services and their regions, where the Service endpoints are available.
| Service Category | Service Endpoint | Regions |
| (Microsoft.AzureActiveDirectory) | All regions | |
| Storage | Azure Storage (Microsoft.Storage) | All regions |
| Storage | Azure Storage cross-region service endpoints (Microsoft.Storage.Global) | All regions |
| Databases | Azure SQL Database (Microsoft.Sql) | All regions |
| Analytics | Azure Synapse Analytics (Microsoft.Sql) | All regions |
| Databases | Azure Database for MariaDB (Microsoft.Sql) | All regions |
| Databases | Azure Cosmos DB (Microsoft.AzureCosmosDB) | All regions |
| Security | Azure Key Vault (Microsoft.KeyVault) | All regions |
| Integration | Azure Service Bus (Microsoft.ServiceBus) | All regions |
| Integration | Azure Event Hubs (Microsoft.EventHub) | All regions |
| Compute | Azure App Service (Microsoft.Web) | All regions and App Service are available |
| AI + machine learning | Azure Cognitive Services (Microsoft.CognitiveServices) | All regions and AI services are available |
| Containers | Azure Container Registry (Microsoft.ContainerRegistry) | Limited regions and Container registry available (Public Preview) |
What would be the result if you follow the diagram and deploy the resources to your Azure tenant?
Only services within the VNet that include the Service Endpoint for the Azure storage account will have access to Azure FileShare, as illustrated in the diagram at the beginning of the article.
On the other hand, any service that tries to access the file share will get the error:
{Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port.}
Any related links to read more about Azure Service Endpoint?
Sure, Microsoft Learn is a great resource, and in addition to that, the internet is full of informative articles.
- https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
- https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies?tabs=portal