The document explains the differences between Azure Service Endpoints and Private Endpoints, detailing their functionalities, benefits, and limitations. Service Endpoints provide secure connectivity to Azure services without internet exposure and allow for optimized routing, while Private Endpoints create a private link to services, ensuring data exfiltration protection. A side-by-side comparison is provided to help users decide when to use each option based on their needs and conditions.

1. Service Endpoints vs.
Private Endpoints
Securing Azure services & reducing the risk of data exfiltration
February 2021, Matthias Güntert

2. Introduction
What you can expect
 You’ll learn what service endpoints (SE) are
 You’ll learn what private endpoints (PE) are
 You’ll learn the differences between both
 You’ll learn when to use one or the other
What I assume
 Basic understanding of Virtual Networks, DNS and routing

3. Matthias Güntert
Günni, who?
 I am a father of two kids, digital
photographer, supermoto rider &
Husaberg fan
 I am an Azure Solution Architect,
tech enthusiast, .NET developer and
blogger (www.azureblue.io)
 I work for Solveva, a company
focusing on software solutions in the
insurance sector
 I support insurance companies in
their move to the public cloud

4. Service Endpoints
Direct and secure connectivity to Azure services

5. Content
Service Endpoints
 Overview of Service Endpoints are
 Routing without Service Endpoints
 Azure System Default Routes
 Azure Route Selection
 How Service Endpoints work
 What Service Endpoint Policies are
 Demo
 Key Benefits & Limitations

6. Overview
Service Endpoints
 A service endpoint (SE) is a feature of Azure virtual network
 Eliminates exposure to the Internet
 Protects from data exfiltration
 Allows tight lock down of Azure resources on the network
layer
 Provides direct connectivity to Azure services over an
optimized route
 Traffic destined to Azure resources will always remain on
Azure’s infrastructure backbone

7. Azure System Default Routes
Service Endpoints
 Azure creates a system default routing table for each subnet in a virtual
network
 Outbound traffic from a subnet is routed based on this route table
Address prefixes Next hop type Description
Unique to VNet
(e.g., 10.0.0.0/16)
Virtual network • Traffic between subnets is automatically routed.
• No need to define gateways for Azure to route traffic
between subnets
0.0.0.0/0 Internet • By default, Azure routes traffic for any address not
specified to the Internet
10.0.0.0/8
192.168.0.0/16
100.64.0.0/10
None • Traffic is dropped, rather than routed outside the subnet.

8. Azure Route Selection
 Routing decisions are based on the destination IP address using “longest prefix
matching algorithm”
 For example
 Destination IP: 10.0.0.5 → B (/24 is the longer matching prefix than /16)
 Destination IP: 10.0.1.5 → A (not part of 10.0.0.0/24)
 If multiple routes contain same address prefix, selection is based on following
priority
 User-defined route
 BGP route
 System route
Address prefix Next Hop Type
10.0.0.0/16 A
10.0.0.0/24 B
Source Address prefix Next Hop Type
Default 0.0.0.0/0 Internet
User-Defined 0.0.0.0/0 Virtual Network Gateway
→ I.e., destination IP 20.123.33.12 will select the
user-defined route, as priority is higher

9. Routing without Service Endpoints
Service Endpoints
1. Routing table lookup for
destination 20.150.42.228
2. Single matching address
prefix is 0.0.0.0/0 and
therefor next hop type is
“Internet”
 Traffic from VM to Storage
Account travels through
internet
 Storage Account is exposed to
the public internet
 Storage Account could be
protected with manual FW
rules, however white-labeled
packets would still travel
through internet which might
not be desirable

10. How do Service Endpoints work?
 SE relies on routing and makes use of a new hop type called
“VirtualNetworkServiceEndpoint”
 Next to the one we have seen, which were “Virtual network”,
“Internet”, “None”, ...
 This hop type acts as an ingress/entry point to the Azure
backbone
 When enabling SEs for a specific resource type, all there
public IP address prefixes, will be added to the default
routing table with a next hop type of
“VirtualNetworkServiceEndpoint”

11. Service Endpoint Policy
 Allows to filter egress VNet traffic to storage accounts
 Provides granular access control for VNet traffic to storage accounts
 Filter granularity based on configurable scope:
 All accounts in subscription
 All accounts in resource group
 Single account
 No support for other resources than storage accounts!!

12. Demo
Lock down VM & Storage Account with service endpoints
1. Create a “Service Endpoint
Policy”
2. Enable Service Endpoint for
Subnet
3. Deny inbound from Internet
to Storage Account
4. Deny outbound from VM to
Internet

13. Key Benefits - 1
Service Endpoints
 Traffic remains on Azure backbone
 Enhanced network performance (high bandwidth, low latency)
 Enhanced security
 Optimal routing
 Even with user-defined routes pointing to on-premises, traffic will still
take service endpoint as next hop
 Service endpoint routes override any BGP or UDR routes for address
prefix match!
 Allows tight lock down of Azure resources on the network layer
 Not possible without service endpoints
 Storage Account access can be further restricted with “SE Policies”
 No additional charge for using Service Endpoints

14. Key Benefits – 2
Service Endpoints
 You can secure Azure
services to multiple subnets
within a VNets or even
across multiple vnets
 VNet & Azure Service
resource can belong to
different subscriptions and
tenants
 However, VNet & Service
Resource can’t be in
different regions
 With the exception of
paired regions i.e., West-
& North Europe

15. Limitations
Service Endpoints
 Feature only available to virtual networks deployed through Azure
Resource Manager (no classic deployment)
 Can't be used for traffic coming from on-premises & peered network
 Not every Azure resource type is supported, although many core
resources are
 Azure Storage
 SQL Database, PostgreSQL, MySQL, MariaDB, Cosmos DB,
 Key Vault, Service Bus, Event Hubs, App Service, Cognitive Services, Container
Registry (public preview)
 Data Lake Store Gen 1, Synapse Analytics
 SE Policies can only be used for storage accounts!
 And you can’t distinguish between blob, queue, file or table
 SE Policies can’t be “shared” across subscriptions
 ... like other resources

16. Private Endpoints
Creating private PaaS solutions with “Private Links”

17. Content
Private Endpoints
 Overview of Private Endpoints and Private Link Service
 Private Endpoint DNS Integration
 DNS Query from the Internet
 DNS Query from the VNet
 Approval Workflow
 Demo
 Key Benefits & Limitations

18. Overview
Private Endpoints
 Eliminates Internet Exposure & protects from data exfiltration
 Part of the Private Link Service Offering which consists of three components
 Private Endpoint, Private Endpoint DNS Integration, Private Link Service
 Enables access to Azure PaaS services, Partner services and customer owned services over a private endpoint
in your virtual network
 “Private Link Service” can be Azure Storage Account, SQL Server, ... or your own application

19. Overview
Private Endpoints
 PE is a special type
of NIC that plugs
into VNet
 PE uses private IP
from subnet
 Traffic remains on
Azure backbone

20. Private Endpoint DNS Integration
 Azure creates CNAME record on the public DNS
 Private DNS Zone is created and linked to VNet, overriding public DNS
 Clients from Internet and VNet can both use same (public) FQDN
 ... which resolves to different IP addresses
 No need for callers to change any existing URLs to target resource

21. DNS Query from the Internet
Private Endpoint DNS Integration
 Meaning of the result:
 azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...
 azurebluedemo2.privatelink... is an alias for blob.blz21prdstr02a.store...
 blob.blz21prdstr02a.store... points to address 52.239.169.4
 This implies that even if you query the *.privatelink.* DNS name, no
private IP addresses are going to be revealed

22. DNS Query from the Internet
Private Endpoint DNS Integration
 azurebluedemo2 has an PE pointing to it
– azurebluedemo1 doesn’t
 No internal IPs are exposed, even when
trying to resolve *.privatelink.*

23. DNS Query from Virtual Network
Private Endpoint DNS Integration
 Lookup for azurebluedemo2.blob.core.windows.net from the VNet
 Meaning of the result
 azurebluedemo2.blob... is an alias for azurebluedemo2.privatelink...
 azurebluedemo2.privatelink points to the IP 10.0.1.5
 Private DNS zone overrides DNS resolution
 This implies, that there is no need for callers to change any existing URLs to
the target resource!

24. Private Endpoint DNS Integration
Hub & Spoke
 Private DNS Zone
can be linked to
many VNets
 A Private DNS zone
is a global
resource!

25. Approval Workflow
 Two connection approval methods: automatically & manually
 Resource owner can approve
 If requester has enough permission automatic approval is given

26. Demo
Access Blob Storage privately with via Private Endpoint
 Creating a private endpoint pointing to an
Azure Storage Account
 Demonstrate DNS
 Demonstrate approval workflow

27. Key Benefits
Private Endpoints
 Eliminates exposure to the Internet
 Can be consumed by services outside the VNet
 Like on-premises
 Can be used to connect to resources across regions
 Supports approval workflow & a lot more Azure resources than service
endpoints

28. Limitations
Private Endpoints
 Private Endpoints can’t be associated with NSGs
 User-defined routes don’t apply to private endpoints
 Private Endpoint must be in the same region as your virtual network
 Alternatively create PE in a Hub VNet and use (global) peering

29. Comparison
Side-by-Side comparison & which to pick?

30. Comparison
Service Endpoints Private Links
Free of charge Charge based on traffic and usage time
No SLA SLA of 99.99% (Private Link)
Feature of Virtual Network Feature of Private Link Service
Providing service must be in same region as VNet (or at least
paired region)
Location of providing service is independent of private
endpoint location
Must be enabled on the subnet where it needs to be consumed Must be deployed to same region as VNet
No additional private IP address required Read-Only Network Interface occupies a private IP address
Can’t be used for traffic coming from on-premises & peered
networks
Supports access from on-premises & peered networks
Service Discovery relies on routing Service Discovery relies on DNS
Traffic not inspectable inside Azure Allows traffic inspection via Azure Firewall
Supports 14 Azure PaaS Providers Supports 27 Azure PaaS Providers
Temporary interruption may occur to subnet while configuring
service endpoints
No connectivity loss for clients connected to VNet
Only coarse control for storage accounts possible Supports fine grained control to target resource

31. Resource Comparison

32. Which to pick?
 Choose Service Endpoints if ...
 ... you are tight on budget and communication stays within a single region
 ... you must privately connect to a Data Lake Storage Gen1
 ... you’d like to connect to storage account & filtering via Service Endpoint
Policy is sufficient for you
 Choose Private Endpoints if ...
 ... you’d like to inspect traffic with Azure Firewall
 ... you’d like to connect services across regions
 ... you’d like to connect to partner resources privately
 ... you can’t tolerate interruption of network connectivity while setting up
 ... you must privately connect to services not offered by service endpoints (!)

33. Thanks for your
attention!
-
Stay save & healthy