Azure compute and networking services
📘Microsoft Certified: Azure Fundamentals (AZ-900)
When you work with resources in Azure—like storage accounts, databases, or web apps—your applications need a way to connect to these resources. Azure provides two main ways to do this:
- Public Endpoints
- Private Endpoints
These endpoints control how traffic reaches your resources.
1. Public Endpoints
Definition:
A public endpoint is a network connection that allows access to an Azure resource over the internet. Essentially, the resource gets a public IP address so anyone who has proper credentials and network access can connect to it.
Key Points:
- Uses the public internet to connect to Azure resources.
- Accessible from anywhere, as long as network rules and authentication allow it.
- Often protected using firewalls, network security groups (NSGs), or Azure role-based access control (RBAC).
- Suitable for scenarios where users or applications need to connect outside the Azure network, like external clients accessing a web app.
Example in IT context:
- A web app hosted in Azure can have a public endpoint so that employees worldwide can access it through a browser.
- An Azure SQL database with a public endpoint allows applications running outside of Azure to connect.
Security Considerations:
- Since the resource is reachable over the internet, it must be secured with proper authentication, IP restrictions, and encryption.
- Azure recommends limiting exposure by only allowing specific IP ranges.
2. Private Endpoints
Definition:
A private endpoint is a network connection that allows access to an Azure resource only within your private network. It uses a private IP address from your Azure Virtual Network (VNet), so traffic never goes over the internet.
Key Points:
- Provides secure, private connectivity to Azure resources.
- Traffic stays within the Azure backbone network (internal Azure network), improving security and performance.
- Ideal for sensitive data or internal applications that should not be exposed to the internet.
- Integrates with Azure Private Link, which helps connect services privately without exposing them publicly.
Example in IT context:
- An internal HR database can use a private endpoint so that only applications within the company’s Azure VNet can access it.
- A storage account can be accessed only by internal company applications, keeping sensitive data secure.
Security Benefits:
- Reduces the risk of data leakage, because no internet access is allowed.
- Helps comply with regulatory requirements that require internal-only access.
Public vs. Private Endpoints: Quick Comparison
| Feature | Public Endpoint | Private Endpoint |
|---|---|---|
| Accessibility | Internet-accessible | VNet/internal only |
| IP Address Type | Public IP | Private IP |
| Security | Needs firewall, NSG, authentication | Inherently secure, stays in private network |
| Use Case | Apps accessed globally | Internal-only apps, sensitive data |
| Traffic Path | Goes over the internet | Stays on Azure network (no internet) |
Exam Tips for AZ-900
- Know the difference between public and private endpoints. The exam often tests understanding of access scope and security.
- Remember: Public = Internet, Private = VNet/internal only.
- Be familiar with Azure services that can use private endpoints, like:
- Azure Storage
- Azure SQL Database
- Azure Key Vault
- Azure App Service
- Understand the security advantages of private endpoints over public endpoints.
Summary in Simple Words
- Public endpoints = “Reachable from anywhere via the internet.”
- Private endpoints = “Accessible only inside your private Azure network.”
- Always think: Do I want my resource exposed to the internet or only to my internal network? That decides which endpoint to use.
