SlideShare a Scribd company logo

Azure Service Endpoints vs. Private Links

M
Matthias Güntert

Securing Azure services & reducing the risk of data exfiltration, a presentation by Matthias Güntert that compares both services to each other.

Technology
1 of 33
Download to read offline
Service Endpoints vs. Private Endpoints Securing Azure services & reducing the risk of data exfiltration February 2021, Matthias Güntert
Introduction What you can expect  You’ll learn what service endpoints (SE) are  You’ll learn what private endpoints (PE) are  You’ll learn the differences between both  You’ll learn when to use one or the other What I assume  Basic understanding of Virtual Networks, DNS and routing
Matthias Güntert Günni, who?  I am a father of two kids, digital photographer, supermoto rider & Husaberg fan  I am an Azure Solution Architect, tech enthusiast, .NET developer and blogger (www.azureblue.io)  I work for Solveva, a company focusing on software solutions in the insurance sector  I support insurance companies in their move to the public cloud
Service Endpoints Direct and secure connectivity to Azure services
Content Service Endpoints  Overview of Service Endpoints are  Routing without Service Endpoints  Azure System Default Routes  Azure Route Selection  How Service Endpoints work  What Service Endpoint Policies are  Demo  Key Benefits & Limitations
Overview Service Endpoints  A service endpoint (SE) is a feature of Azure virtual network  Eliminates exposure to the Internet  Protects from data exfiltration  Allows tight lock down of Azure resources on the network layer  Provides direct connectivity to Azure services over an optimized route  Traffic destined to Azure resources will always remain on Azure’s infrastructure backbone
Azure System Default Routes Service Endpoints  Azure creates a system default routing table for each subnet in a virtual network  Outbound traffic from a subnet is routed based on this route table Address prefixes Next hop type Description Unique to VNet (e.g., 10.0.0.0/16) Virtual network • Traffic between subnets is automatically routed. • No need to define gateways for Azure to route traffic between subnets 0.0.0.0/0 Internet • By default, Azure routes traffic for any address not specified to the Internet 10.0.0.0/8 192.168.0.0/16 100.64.0.0/10 None • Traffic is dropped, rather than routed outside the subnet.
Azure Route Selection  Routing decisions are based on the destination IP address using “longest prefix matching algorithm”  For example  Destination IP: 10.0.0.5 → B (/24 is the longer matching prefix than /16)  Destination IP: 10.0.1.5 → A (not part of 10.0.0.0/24)  If multiple routes contain same address prefix, selection is based on following priority  User-defined route  BGP route  System route Address prefix Next Hop Type 10.0.0.0/16 A 10.0.0.0/24 B Source Address prefix Next Hop Type Default 0.0.0.0/0 Internet User-Defined 0.0.0.0/0 Virtual Network Gateway → I.e., destination IP 20.123.33.12 will select the user-defined route, as priority is higher
Routing without Service Endpoints Service Endpoints 1. Routing table lookup for destination 20.150.42.228 2. Single matching address prefix is 0.0.0.0/0 and therefor next hop type is “Internet”  Traffic from VM to Storage Account travels through internet  Storage Account is exposed to the public internet  Storage Account could be protected with manual FW rules, however white-labeled packets would still travel through internet which might not be desirable
How do Service Endpoints work?  SE relies on routing and makes use of a new hop type called “VirtualNetworkServiceEndpoint”  Next to the one we have seen, which were “Virtual network”, “Internet”, “None”, ...  This hop type acts as an ingress/entry point to the Azure backbone  When enabling SEs for a specific resource type, all there public IP address prefixes, will be added to the default routing table with a next hop type of “VirtualNetworkServiceEndpoint”
Service Endpoint Policy  Allows to filter egress VNet traffic to storage accounts  Provides granular access control for VNet traffic to storage accounts  Filter granularity based on configurable scope:  All accounts in subscription  All accounts in resource group  Single account  No support for other resources than storage accounts!!
Demo Lock down VM & Storage Account with service endpoints 1. Create a “Service Endpoint Policy” 2. Enable Service Endpoint for Subnet 3. Deny inbound from Internet to Storage Account 4. Deny outbound from VM to Internet
Key Benefits - 1 Service Endpoints  Traffic remains on Azure backbone  Enhanced network performance (high bandwidth, low latency)  Enhanced security  Optimal routing  Even with user-defined routes pointing to on-premises, traffic will still take service endpoint as next hop  Service endpoint routes override any BGP or UDR routes for address prefix match!  Allows tight lock down of Azure resources on the network layer  Not possible without service endpoints  Storage Account access can be further restricted with “SE Policies”  No additional charge for using Service Endpoints
Key Benefits – 2 Service Endpoints  You can secure Azure services to multiple subnets within a VNets or even across multiple vnets  VNet & Azure Service resource can belong to different subscriptions and tenants  However, VNet & Service Resource can’t be in different regions  With the exception of paired regions i.e., West- & North Europe
Limitations Service Endpoints  Feature only available to virtual networks deployed through Azure Resource Manager (no classic deployment)  Can't be used for traffic coming from on-premises & peered network  Not every Azure resource type is supported, although many core resources are  Azure Storage  SQL Database, PostgreSQL, MySQL, MariaDB, Cosmos DB,  Key Vault, Service Bus, Event Hubs, App Service, Cognitive Services, Container Registry (public preview)  Data Lake Store Gen 1, Synapse Analytics  SE Policies can only be used for storage accounts!  And you can’t distinguish between blob, queue, file or table  SE Policies can’t be “shared” across subscriptions  ... like other resources
Private Endpoints Creating private PaaS solutions with “Private Links”
Content Private Endpoints  Overview of Private Endpoints and Private Link Service  Private Endpoint DNS Integration  DNS Query from the Internet  DNS Query from the VNet  Approval Workflow  Demo  Key Benefits & Limitations
Overview Private Endpoints  Eliminates Internet Exposure & protects from data exfiltration  Part of the Private Link Service Offering which consists of three components  Private Endpoint, Private Endpoint DNS Integration, Private Link Service  Enables access to Azure PaaS services, Partner services and customer owned services over a private endpoint in your virtual network  “Private Link Service” can be Azure Storage Account, SQL Server, ... or your own application
Overview Private Endpoints  PE is a special type of NIC that plugs into VNet  PE uses private IP from subnet  Traffic remains on Azure backbone
Private Endpoint DNS Integration  Azure creates CNAME record on the public DNS  Private DNS Zone is created and linked to VNet, overriding public DNS  Clients from Internet and VNet can both use same (public) FQDN  ... which resolves to different IP addresses  No need for callers to change any existing URLs to target resource
DNS Query from the Internet Private Endpoint DNS Integration  Meaning of the result:  azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...  azurebluedemo2.privatelink... is an alias for blob.blz21prdstr02a.store...  blob.blz21prdstr02a.store... points to address 52.239.169.4  This implies that even if you query the *.privatelink.* DNS name, no private IP addresses are going to be revealed
DNS Query from the Internet Private Endpoint DNS Integration  azurebluedemo2 has an PE pointing to it – azurebluedemo1 doesn’t  No internal IPs are exposed, even when trying to resolve *.privatelink.*
DNS Query from Virtual Network Private Endpoint DNS Integration  Lookup for azurebluedemo2.blob.core.windows.net from the VNet  Meaning of the result  azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...  azurebluedemo2.privatelink points to the IP 10.0.1.5  Private DNS zone overrides DNS resolution  This implies, that there is no need for callers to change any existing URLs to the target resource!
Private Endpoint DNS Integration Hub & Spoke  Private DNS Zone can be linked to many VNets  A Private DNS zone is a global resource!
Approval Workflow  Two connection approval methods: automatically & manually  Resource owner can approve  If requester has enough permission automatic approval is given
Demo Access Blob Storage privately with via Private Endpoint  Creating a private endpoint pointing to an Azure Storage Account  Demonstrate DNS  Demonstrate approval workflow
Key Benefits Private Endpoints  Eliminates exposure to the Internet  Can be consumed by services outside the VNet  Like on-premises  Can be used to connect to resources across regions  Supports approval workflow & a lot more Azure resources than service endpoints
Limitations Private Endpoints  Private Endpoints can’t be associated with NSGs  User-defined routes don’t apply to private endpoints  Private Endpoint must be in the same region as your virtual network  Alternatively create PE in a Hub VNet and use (global) peering
Comparison Side-by-Side comparison & which to pick?
Comparison Service Endpoints Private Links Free of charge Charge based on traffic and usage time No SLA SLA of 99.99% (Private Link) Feature of Virtual Network Feature of Private Link Service Providing service must be in same region as VNet (or at least paired region) Location of providing service is independent of private endpoint location Must be enabled on the subnet where it needs to be consumed Must be deployed to same region as VNet No additional private IP address required Read-Only Network Interface occupies a private IP address Can’t be used for traffic coming from on-premises & peered networks Supports access from on-premises & peered networks Service Discovery relies on routing Service Discovery relies on DNS Traffic not inspectable inside Azure Allows traffic inspection via Azure Firewall Supports 14 Azure PaaS Providers Supports 27 Azure PaaS Providers Temporary interruption may occur to subnet while configuring service endpoints No connectivity loss for clients connected to VNet Only coarse control for storage accounts possible Supports fine grained control to target resource
Resource Comparison
Which to pick?  Choose Service Endpoints if ...  ... you are tight on budget and communication stays within a single region  ... you must privately connect to a Data Lake Storage Gen1  ... you’d like to connect to storage account & filtering via Service Endpoint Policy is sufficient for you  Choose Private Endpoints if ...  ... you’d like to inspect traffic with Azure Firewall  ... you’d like to connect services across regions  ... you’d like to connect to partner resources privately  ... you can’t tolerate interruption of network connectivity while setting up  ... you must privately connect to services not offered by service endpoints (!)
Thanks for your attention! - Stay save & healthy

Recommended

Azure virtual network
Azure virtual networkAzure virtual network
Azure virtual networkLalit Rawat
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptxRazith2
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelinkUdaiappa Ramachandran
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesAzure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesMarius Zaharia
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftDavid J Rosenthal
 

Recommended

Azure virtual network
Azure virtual networkAzure virtual network
Azure virtual networkLalit Rawat
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptxRazith2
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelinkUdaiappa Ramachandran
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesAzure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesMarius Zaharia
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftDavid J Rosenthal
 
Azure Administrator
Azure AdministratorAzure Administrator
Azure AdministratorViknaraj Manogararajah
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
Azure App Service
Azure App ServiceAzure App Service
Azure App ServiceBizTalk360
 
Azure networking update 201908
Azure networking update 201908 Azure networking update 201908
Azure networking update 201908 Jay Kim
 
Azure vnet
Azure vnetAzure vnet
Azure vnetzekeLabs Technologies
 
Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaSShahed Chowdhuri
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Azure WAF
Azure WAFAzure WAF
Azure WAFCheah Eng Soon
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureKemp
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft AzureMicrosoft Tech Community
 
Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2AzureEzy1
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack FundamentalsCenk Ersoy
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudDinesh Kumar Wickramasinghe
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud ServicesDavid J Rosenthal
 
Azure architecture
Azure architectureAzure architecture
Azure architectureAmal Dev
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaSRobert Crane
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityScott Hoag
 

More Related Content

What's hot

Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
Azure App Service
Azure App ServiceAzure App Service
Azure App ServiceBizTalk360
 
Azure networking update 201908
Azure networking update 201908 Azure networking update 201908
Azure networking update 201908 Jay Kim
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureKemp
 
Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2AzureEzy1
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack FundamentalsCenk Ersoy
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud ServicesDavid J Rosenthal
 
Azure architecture
Azure architectureAzure architecture
Azure architectureAmal Dev
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaSRobert Crane
 

What's hot (20)

Azure Administrator
Azure AdministratorAzure Administrator
Azure Administrator
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
Azure App Service
Azure App ServiceAzure App Service
Azure App Service
 
Azure networking update 201908
Azure networking update 201908 Azure networking update 201908
Azure networking update 201908
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
 
Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft Azure
 
Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack Fundamentals
 
Azure 101
Azure 101Azure 101
Azure 101
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure Cloud
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
 
Azure architecture
Azure architectureAzure architecture
Azure architecture
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaS
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 

Similar to Azure Service Endpoints vs. Private Links

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityScott Hoag
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureSyed Irtaza Ali
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185jtaylor707
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureK.Mohamed Faizal
 
Deploying couchbaseserverazure cihanbiyikoglu_microsoft
Deploying couchbaseserverazure cihanbiyikoglu_microsoftDeploying couchbaseserverazure cihanbiyikoglu_microsoft
Deploying couchbaseserverazure cihanbiyikoglu_microsoftCihan Biyikoglu
 
Cloud computing
Cloud computingCloud computing
Cloud computingRam Sharma
 
Blewis Session 1 Fy10 Q3 Azure
Blewis Session 1 Fy10 Q3 AzureBlewis Session 1 Fy10 Q3 Azure
Blewis Session 1 Fy10 Q3 AzureBrian Lewis
 
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...Interoute
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAAmmar Hasayen
 
Introduction to Windows Azure
Introduction to Windows AzureIntroduction to Windows Azure
Introduction to Windows AzureRavi Ranjan Karn
 
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptx
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptxCloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptx
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptxVipulKumar221864
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptxA_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptxjayshuklatrainer
 
Windows Azure for .NET Developers
Windows Azure for .NET DevelopersWindows Azure for .NET Developers
Windows Azure for .NET Developersllangit
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOCoLaboraDK
 

Similar to Azure Service Endpoints vs. Private Links (20)

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network Security
 
10052016115136.pptx
10052016115136.pptx10052016115136.pptx
10052016115136.pptx
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Azure Microsoft
Azure MicrosoftAzure Microsoft
Azure Microsoft
 
Deploying couchbaseserverazure cihanbiyikoglu_microsoft
Deploying couchbaseserverazure cihanbiyikoglu_microsoftDeploying couchbaseserverazure cihanbiyikoglu_microsoft
Deploying couchbaseserverazure cihanbiyikoglu_microsoft
 
SOFTWARE COMPUTING
SOFTWARE COMPUTINGSOFTWARE COMPUTING
SOFTWARE COMPUTING
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Migrating Apps To Azure
Migrating Apps To AzureMigrating Apps To Azure
Migrating Apps To Azure
 
Blewis Session 1 Fy10 Q3 Azure
Blewis Session 1 Fy10 Q3 AzureBlewis Session 1 Fy10 Q3 Azure
Blewis Session 1 Fy10 Q3 Azure
 
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...
Infrastructure Migration from Windows Server 2003 to the Cloud: An Interoute ...
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
 
Introduction to Windows Azure
Introduction to Windows AzureIntroduction to Windows Azure
Introduction to Windows Azure
 
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptx
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptxCloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptx
Cloud-Reference-Architecture-Virtual-Data-Center-VDC-Azure.pptx
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptxA_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
 
Windows Azure for .NET Developers
Windows Azure for .NET DevelopersWindows Azure for .NET Developers
Windows Azure for .NET Developers
 
04 Azure IAAS 101
04 Azure IAAS 10104 Azure IAAS 101
04 Azure IAAS 101
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSO
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Azure Service Endpoints vs. Private Links

  • 1. Service Endpoints vs. Private Endpoints Securing Azure services & reducing the risk of data exfiltration February 2021, Matthias Güntert
  • 2. Introduction What you can expect  You’ll learn what service endpoints (SE) are  You’ll learn what private endpoints (PE) are  You’ll learn the differences between both  You’ll learn when to use one or the other What I assume  Basic understanding of Virtual Networks, DNS and routing
  • 3. Matthias Güntert Günni, who?  I am a father of two kids, digital photographer, supermoto rider & Husaberg fan  I am an Azure Solution Architect, tech enthusiast, .NET developer and blogger (www.azureblue.io)  I work for Solveva, a company focusing on software solutions in the insurance sector  I support insurance companies in their move to the public cloud
  • 4. Service Endpoints Direct and secure connectivity to Azure services
  • 5. Content Service Endpoints  Overview of Service Endpoints are  Routing without Service Endpoints  Azure System Default Routes  Azure Route Selection  How Service Endpoints work  What Service Endpoint Policies are  Demo  Key Benefits & Limitations
  • 6. Overview Service Endpoints  A service endpoint (SE) is a feature of Azure virtual network  Eliminates exposure to the Internet  Protects from data exfiltration  Allows tight lock down of Azure resources on the network layer  Provides direct connectivity to Azure services over an optimized route  Traffic destined to Azure resources will always remain on Azure’s infrastructure backbone
  • 7. Azure System Default Routes Service Endpoints  Azure creates a system default routing table for each subnet in a virtual network  Outbound traffic from a subnet is routed based on this route table Address prefixes Next hop type Description Unique to VNet (e.g., 10.0.0.0/16) Virtual network • Traffic between subnets is automatically routed. • No need to define gateways for Azure to route traffic between subnets 0.0.0.0/0 Internet • By default, Azure routes traffic for any address not specified to the Internet 10.0.0.0/8 192.168.0.0/16 100.64.0.0/10 None • Traffic is dropped, rather than routed outside the subnet.
  • 8. Azure Route Selection  Routing decisions are based on the destination IP address using “longest prefix matching algorithm”  For example  Destination IP: 10.0.0.5 → B (/24 is the longer matching prefix than /16)  Destination IP: 10.0.1.5 → A (not part of 10.0.0.0/24)  If multiple routes contain same address prefix, selection is based on following priority  User-defined route  BGP route  System route Address prefix Next Hop Type 10.0.0.0/16 A 10.0.0.0/24 B Source Address prefix Next Hop Type Default 0.0.0.0/0 Internet User-Defined 0.0.0.0/0 Virtual Network Gateway → I.e., destination IP 20.123.33.12 will select the user-defined route, as priority is higher
  • 9. Routing without Service Endpoints Service Endpoints 1. Routing table lookup for destination 20.150.42.228 2. Single matching address prefix is 0.0.0.0/0 and therefor next hop type is “Internet”  Traffic from VM to Storage Account travels through internet  Storage Account is exposed to the public internet  Storage Account could be protected with manual FW rules, however white-labeled packets would still travel through internet which might not be desirable
  • 10. How do Service Endpoints work?  SE relies on routing and makes use of a new hop type called “VirtualNetworkServiceEndpoint”  Next to the one we have seen, which were “Virtual network”, “Internet”, “None”, ...  This hop type acts as an ingress/entry point to the Azure backbone  When enabling SEs for a specific resource type, all there public IP address prefixes, will be added to the default routing table with a next hop type of “VirtualNetworkServiceEndpoint”
  • 11. Service Endpoint Policy  Allows to filter egress VNet traffic to storage accounts  Provides granular access control for VNet traffic to storage accounts  Filter granularity based on configurable scope:  All accounts in subscription  All accounts in resource group  Single account  No support for other resources than storage accounts!!
  • 12. Demo Lock down VM & Storage Account with service endpoints 1. Create a “Service Endpoint Policy” 2. Enable Service Endpoint for Subnet 3. Deny inbound from Internet to Storage Account 4. Deny outbound from VM to Internet
  • 13. Key Benefits - 1 Service Endpoints  Traffic remains on Azure backbone  Enhanced network performance (high bandwidth, low latency)  Enhanced security  Optimal routing  Even with user-defined routes pointing to on-premises, traffic will still take service endpoint as next hop  Service endpoint routes override any BGP or UDR routes for address prefix match!  Allows tight lock down of Azure resources on the network layer  Not possible without service endpoints  Storage Account access can be further restricted with “SE Policies”  No additional charge for using Service Endpoints
  • 14. Key Benefits – 2 Service Endpoints  You can secure Azure services to multiple subnets within a VNets or even across multiple vnets  VNet & Azure Service resource can belong to different subscriptions and tenants  However, VNet & Service Resource can’t be in different regions  With the exception of paired regions i.e., West- & North Europe
  • 15. Limitations Service Endpoints  Feature only available to virtual networks deployed through Azure Resource Manager (no classic deployment)  Can't be used for traffic coming from on-premises & peered network  Not every Azure resource type is supported, although many core resources are  Azure Storage  SQL Database, PostgreSQL, MySQL, MariaDB, Cosmos DB,  Key Vault, Service Bus, Event Hubs, App Service, Cognitive Services, Container Registry (public preview)  Data Lake Store Gen 1, Synapse Analytics  SE Policies can only be used for storage accounts!  And you can’t distinguish between blob, queue, file or table  SE Policies can’t be “shared” across subscriptions  ... like other resources
  • 16. Private Endpoints Creating private PaaS solutions with “Private Links”
  • 17. Content Private Endpoints  Overview of Private Endpoints and Private Link Service  Private Endpoint DNS Integration  DNS Query from the Internet  DNS Query from the VNet  Approval Workflow  Demo  Key Benefits & Limitations
  • 18. Overview Private Endpoints  Eliminates Internet Exposure & protects from data exfiltration  Part of the Private Link Service Offering which consists of three components  Private Endpoint, Private Endpoint DNS Integration, Private Link Service  Enables access to Azure PaaS services, Partner services and customer owned services over a private endpoint in your virtual network  “Private Link Service” can be Azure Storage Account, SQL Server, ... or your own application
  • 19. Overview Private Endpoints  PE is a special type of NIC that plugs into VNet  PE uses private IP from subnet  Traffic remains on Azure backbone
  • 20. Private Endpoint DNS Integration  Azure creates CNAME record on the public DNS  Private DNS Zone is created and linked to VNet, overriding public DNS  Clients from Internet and VNet can both use same (public) FQDN  ... which resolves to different IP addresses  No need for callers to change any existing URLs to target resource
  • 21. DNS Query from the Internet Private Endpoint DNS Integration  Meaning of the result:  azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...  azurebluedemo2.privatelink... is an alias for blob.blz21prdstr02a.store...  blob.blz21prdstr02a.store... points to address 52.239.169.4  This implies that even if you query the *.privatelink.* DNS name, no private IP addresses are going to be revealed
  • 22. DNS Query from the Internet Private Endpoint DNS Integration  azurebluedemo2 has an PE pointing to it – azurebluedemo1 doesn’t  No internal IPs are exposed, even when trying to resolve *.privatelink.*
  • 23. DNS Query from Virtual Network Private Endpoint DNS Integration  Lookup for azurebluedemo2.blob.core.windows.net from the VNet  Meaning of the result  azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...  azurebluedemo2.privatelink points to the IP 10.0.1.5  Private DNS zone overrides DNS resolution  This implies, that there is no need for callers to change any existing URLs to the target resource!
  • 24. Private Endpoint DNS Integration Hub & Spoke  Private DNS Zone can be linked to many VNets  A Private DNS zone is a global resource!
  • 25. Approval Workflow  Two connection approval methods: automatically & manually  Resource owner can approve  If requester has enough permission automatic approval is given
  • 26. Demo Access Blob Storage privately with via Private Endpoint  Creating a private endpoint pointing to an Azure Storage Account  Demonstrate DNS  Demonstrate approval workflow
  • 27. Key Benefits Private Endpoints  Eliminates exposure to the Internet  Can be consumed by services outside the VNet  Like on-premises  Can be used to connect to resources across regions  Supports approval workflow & a lot more Azure resources than service endpoints
  • 28. Limitations Private Endpoints  Private Endpoints can’t be associated with NSGs  User-defined routes don’t apply to private endpoints  Private Endpoint must be in the same region as your virtual network  Alternatively create PE in a Hub VNet and use (global) peering
  • 30. Comparison Service Endpoints Private Links Free of charge Charge based on traffic and usage time No SLA SLA of 99.99% (Private Link) Feature of Virtual Network Feature of Private Link Service Providing service must be in same region as VNet (or at least paired region) Location of providing service is independent of private endpoint location Must be enabled on the subnet where it needs to be consumed Must be deployed to same region as VNet No additional private IP address required Read-Only Network Interface occupies a private IP address Can’t be used for traffic coming from on-premises & peered networks Supports access from on-premises & peered networks Service Discovery relies on routing Service Discovery relies on DNS Traffic not inspectable inside Azure Allows traffic inspection via Azure Firewall Supports 14 Azure PaaS Providers Supports 27 Azure PaaS Providers Temporary interruption may occur to subnet while configuring service endpoints No connectivity loss for clients connected to VNet Only coarse control for storage accounts possible Supports fine grained control to target resource
  • 32. Which to pick?  Choose Service Endpoints if ...  ... you are tight on budget and communication stays within a single region  ... you must privately connect to a Data Lake Storage Gen1  ... you’d like to connect to storage account & filtering via Service Endpoint Policy is sufficient for you  Choose Private Endpoints if ...  ... you’d like to inspect traffic with Azure Firewall  ... you’d like to connect services across regions  ... you’d like to connect to partner resources privately  ... you can’t tolerate interruption of network connectivity while setting up  ... you must privately connect to services not offered by service endpoints (!)