4.2 Service Endpoints
📘Microsoft Azure Networking Solutions (AZ-700)
This topic is very important for the AZ-700 exam because it focuses on controlling access to Azure PaaS services when using Virtual Network (VNet) Service Endpoints.
To pass the exam, you must clearly understand:
- What service endpoint policies are
- Why they are needed
- How they work
- What services support them
- How to configure them
- Their limitations
- The difference between service endpoints and service endpoint policies
1. Quick Revision: What Is a Service Endpoint?
A Service Endpoint extends your Azure Virtual Network (VNet) identity to Azure PaaS services such as:
- Microsoft Azure (platform)
- Azure Storage
- Azure SQL Database
- Azure Cosmos DB
When enabled:
- Traffic from your VNet to these services stays on the Microsoft backbone network.
- You can restrict the service to allow traffic only from specific VNets/subnets.
But there is a limitation.
2. Why Service Endpoint Policies Are Needed
When you enable a service endpoint for a subnet:
- That subnet can access the entire Azure service.
- For example, if you enable a service endpoint for Azure Storage, that subnet can access any storage account in Azure (if network rules allow it).
This may not be secure enough.
Example IT Scenario
An organization has:
- Multiple Azure Storage accounts
- Some are production storage accounts
- Some are test storage accounts
- Some belong to different departments
If a subnet has a service endpoint enabled for Azure Storage, users in that subnet might access all storage accounts, unless you restrict them.
This is where Service Endpoint Policies come in.
3. What Is a Service Endpoint Policy?
A Service Endpoint Policy allows you to:
Restrict a subnet to access only specific Azure service resources.
In simple words:
- Service Endpoint → Gives subnet access to the service.
- Service Endpoint Policy → Controls which specific resources inside that service can be accessed.
4. How Service Endpoint Policies Work
The process works like this:
- You enable a service endpoint on a subnet.
- You create a service endpoint policy.
- Inside the policy, you define:
- The service (for example: Microsoft.Storage)
- The specific resource (for example: a specific Storage Account)
- You associate the policy with the subnet.
After this:
- That subnet can access only the storage accounts defined in the policy.
- Access to other storage accounts is denied.
5. Supported Services (Important for Exam)
Service Endpoint Policies are currently supported mainly for:
- Microsoft.Storage
This is a very important exam point.
Service endpoint policies:
- Are mainly designed for Azure Storage
- Not broadly supported for all Azure services
Always check exam questions carefully for this.
6. Components of a Service Endpoint Policy
A Service Endpoint Policy contains:
1. Policy Definition
Specifies:
- Service (e.g., Microsoft.Storage)
- Resource type (e.g., storageAccounts)
- Resource ID (specific storage account)
2. Association
The policy must be associated with:
- A specific subnet in a VNet
Without association, the policy does nothing.
7. Step-by-Step: Configure Service Endpoint Policies
You should know the logical steps (even if the exam is theoretical).
Step 1: Enable Service Endpoint on Subnet
Go to:
- Virtual Network
- Subnets
- Select Subnet
- Enable service endpoint (e.g., Microsoft.Storage)
Step 2: Create Service Endpoint Policy
Go to:
- Create a new resource
- Search: Service Endpoint Policy
- Provide:
- Name
- Region
- Resource group
Step 3: Add Policy Definitions
Inside the policy:
- Add a policy definition
- Select:
- Service: Microsoft.Storage
- Scope: Specific storage account
- Select the storage account resource ID
Step 4: Associate Policy with Subnet
- Go to the subnet
- Attach the Service Endpoint Policy
Now the subnet is restricted to only allowed storage accounts.
8. Important Security Behavior
After applying a Service Endpoint Policy:
- Subnet can access only defined storage accounts
- Access to other storage accounts is blocked
- This works together with:
- Storage account firewall rules
- VNet rules
Important:
Both must allow traffic:
- Subnet policy must allow
- Storage account network rule must allow
If either blocks → access fails
9. How It Is Used in Real IT Environments
Example 1: Production Control
An organization has:
- Production storage account
- Development storage account
Production subnet should access only:
- Production storage account
Service endpoint policy ensures:
- Production subnet cannot access development storage.
Example 2: Multi-Department Environment
Finance department VNet:
- Should access only Finance storage account
HR department VNet:
- Should access only HR storage account
Service endpoint policies enforce this restriction.
10. Service Endpoint vs Service Endpoint Policy (Exam Comparison)
| Feature | Service Endpoint | Service Endpoint Policy |
|---|---|---|
| Enables private routing | Yes | No |
| Restricts to specific resource | No | Yes |
| Applied at subnet level | Yes | Yes |
| Required for basic access | Yes | No |
| Adds extra security control | No | Yes |
Very common exam trick:
If question says:
Restrict subnet to access only specific storage accounts
Answer:
→ Use Service Endpoint Policy
11. Limitations (Very Important for Exam)
You must remember:
- Mainly supported for Microsoft.Storage
- Works only with Service Endpoints (not Private Endpoints)
- Applied at subnet level only
- Cannot filter by container or blob
- Cannot filter by IP
- Only restricts by resource
12. Service Endpoint Policy vs Private Endpoint
Students often confuse this.
Service Endpoint Policy:
- Still uses public endpoint of service
- Traffic stays on Microsoft backbone
- No private IP assigned to service
- Restricts which resource can be accessed
Private Endpoint:
- Service gets private IP inside VNet
- Completely private access
- More secure and isolated
If exam question says:
Need full private access with no public exposure
Answer:
→ Use Private Endpoint
If exam question says:
Restrict subnet to specific storage accounts
Answer:
→ Use Service Endpoint Policy
13. Design Considerations for Exam
You must think about:
- Number of storage accounts
- Which subnets need access
- Whether full isolation is required
- Whether resource-level restriction is needed
- If Microsoft.Storage is used
14. Common Exam Scenarios
Scenario 1
A subnet should access only one specific storage account.
✔ Enable Service Endpoint
✔ Create Service Endpoint Policy
Scenario 2
Multiple storage accounts, restrict by department.
✔ Create different policies
✔ Associate with different subnets
Scenario 3
Need completely private IP access
✘ Do NOT use Service Endpoint Policy
✔ Use Private Endpoint
15. Key Exam Points to Memorize
- Service Endpoint Policy = resource-level restriction
- Works mainly with Microsoft.Storage
- Applied at subnet level
- Requires Service Endpoint enabled first
- Does not replace Private Endpoint
- Used for fine-grained control
Final Summary
Service Endpoint Policies are an advanced security feature in Azure networking.
They allow you to:
- Control which specific Azure Storage accounts a subnet can access
- Reduce the risk of accidental access to other storage accounts
- Add an extra security layer on top of Service Endpoints
For the AZ-700 exam, remember:
Service Endpoint → Enables service access
Service Endpoint Policy → Restricts which specific resources can be accessed
If you clearly understand this difference, you will confidently answer exam questions related to this topic.
