4.2 Service Endpoints
📘Microsoft Azure Networking Solutions (AZ-700)
This section explains everything you need to know about creating and configuring service endpoints in Microsoft Azure for the AZ-700 exam.
We will cover:
- What service endpoints are
- Why they are used
- Supported services
- How service endpoints work
- Step-by-step creation process
- Required configurations
- Security considerations
- Limitations
- Monitoring and troubleshooting
- Important exam tips
1. What Is a Service Endpoint?
A service endpoint allows you to securely connect your Azure Virtual Network (VNet) to certain Azure services over the Microsoft backbone network, instead of using the public internet.
Even though the Azure service (such as Azure Storage) still has a public IP address, traffic from your VNet:
- Stays inside Microsoft’s network
- Uses your VNet identity
- Can be restricted to specific VNets and subnets
Service endpoints provide secure access to Azure PaaS services from a VNet.
2. Why Use Service Endpoints?
Service endpoints are used when:
- You want to restrict access to an Azure service to specific VNets.
- You want traffic to stay inside Microsoft’s backbone network.
- You want better security without using private endpoints.
- You want simple and low-cost network-level protection.
Example in an IT Environment
An organization has:
- Web servers running inside a VNet
- An Azure Storage account storing application data
Without service endpoints:
- The storage account is accessed over its public endpoint.
- Anyone with correct credentials might access it.
With service endpoints:
- The storage account firewall is configured to allow only a specific VNet/subnet.
- Only resources inside that subnet can access the storage account.
3. Supported Azure Services
Not all Azure services support service endpoints.
Common supported services include:
- Azure Storage
- Azure SQL Database
- Azure Cosmos DB
- Azure Key Vault
- Azure Service Bus
- Azure Event Hubs
- Azure App Service (limited scenarios)
For the exam:
You should remember that service endpoints only work with supported Azure PaaS services.
4. How Service Endpoints Work
When you enable a service endpoint on a subnet:
- The subnet gets a direct route to the Azure service.
- The Azure service sees traffic as coming from the VNet.
- You can configure the service firewall to allow only that subnet.
Important technical behavior:
- Traffic still goes to the public endpoint.
- The public IP of the service does NOT change.
- The service identifies the source subnet using Azure’s internal metadata.
- The source IP remains private within Azure.
5. Steps to Create a Service Endpoint
There are two main steps:
Step 1: Enable Service Endpoint on a Subnet
In the Azure Portal:
- Go to Virtual Networks
- Select your VNet
- Go to Subnets
- Select the subnet
- Under Service endpoints, click:
- Add
- Select the service (e.g., Microsoft.Storage)
- Choose the region
- Save
Now the subnet has a service endpoint enabled.
Step 2: Configure the Azure Service Firewall
Example: Storage Account
- Go to Storage Account
- Select Networking
- Choose Selected networks
- Click Add existing virtual network
- Select:
- Subscription
- VNet
- Subnet (where endpoint is enabled)
- Save
Now only that subnet can access the storage account.
6. Key Requirements
For the exam, remember these:
- Service endpoints are enabled at the subnet level, not VNet level.
- You must configure both sides:
- Subnet (enable endpoint)
- Service firewall (allow subnet)
- The VNet and service must be in the same Azure region (in most scenarios).
- Service endpoints work only for supported services.
7. Network Security Groups (NSGs) and Service Endpoints
Important exam topic.
When using service endpoints:
- NSGs still apply.
- You can use service tags in NSG rules.
- Example:
Storage - Example:
Sql
- Example:
Service tags represent groups of Azure IP addresses.
This allows you to:
- Allow outbound traffic to Azure Storage
- Block internet access but still allow Storage access
8. Service Endpoint Policies
Service endpoint policies provide additional control.
They allow you to:
- Restrict a subnet to specific storage accounts
- Prevent access to other storage accounts
Without policies:
- Subnet can access any storage account allowed in firewall.
With policies:
- Subnet can access only selected storage accounts.
This is important for secure environments.
9. Limitations of Service Endpoints
For AZ-700 exam, understand the limitations:
- Only works with supported Azure services.
- Traffic still uses public endpoint.
- Cannot access on-premises resources.
- Not as secure as Private Endpoint.
- No private IP assigned to service.
- Cannot be used across regions in most cases.
- Does not hide the public endpoint.
10. Service Endpoints vs Private Endpoints (Exam Comparison)
You must know the difference.
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Uses Private IP | No | Yes |
| Traffic via Microsoft backbone | Yes | Yes |
| Public endpoint disabled | No | Can be |
| Works at subnet level | Yes | No (NIC level) |
| More secure | Less | More |
| Cost | Free | Has cost |
For exam scenarios:
- If question asks for private IP access, answer is Private Endpoint.
- If question asks for restrict access to VNet, answer is Service Endpoint.
11. Monitoring and Troubleshooting
You should know:
- Use Network Watcher for troubleshooting.
- Use Effective routes to check routing.
- Use NSG flow logs to verify traffic.
- Check service firewall settings.
Common issues:
- Endpoint enabled but firewall not configured.
- Wrong subnet selected.
- NSG blocking traffic.
- Service in different region.
12. Security Best Practices
For AZ-700 exam:
- Use service endpoints with firewall restrictions.
- Combine with NSGs.
- Use service endpoint policies for tighter control.
- Do not rely only on service endpoints for high-security systems.
- Consider Private Endpoints for sensitive data.
13. Exam Scenario Examples
You may see questions like:
- “Ensure that only resources in a specific subnet can access an Azure Storage account.”
→ Enable service endpoint + configure storage firewall. - “Traffic must stay on Microsoft backbone but no private IP required.”
→ Service Endpoint. - “Block internet access but allow Azure SQL access.”
→ Use NSG with service tag + service endpoint.
14. Important Exam Points to Remember
✔ Service endpoints are configured on subnets
✔ You must configure the Azure service firewall
✔ Traffic stays on Microsoft backbone
✔ Public endpoint still exists
✔ No private IP assigned
✔ Works only with supported PaaS services
✔ Service endpoint policies add extra control
Final Summary
Service endpoints in Microsoft Azure allow secure, direct connectivity between a VNet subnet and supported Azure services using Microsoft’s internal network.
To create a service endpoint:
- Enable it on the subnet.
- Configure the Azure service firewall to allow that subnet.
They provide:
- Better security
- Reduced exposure to the internet
- Simple configuration
- No additional cost
However, they are less secure than Private Endpoints because they do not provide a private IP and do not remove the public endpoint.
