Choose when to use a service endpoint

4.2 Service Endpoints

📘Microsoft Azure Networking Solutions (AZ-700)

1. What Is a Service Endpoint?

A Service Endpoint is a feature in Microsoft Azure that allows a Virtual Network (VNet) to securely connect to certain Azure services over the Azure backbone network.

Normally, services like:

  • Azure Storage
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Key Vault

are accessed using their public endpoints (public IP addresses).

When you enable a Service Endpoint, traffic:

  • Still goes to the public endpoint
  • But travels through the Azure private backbone network
  • And the service can restrict access to specific VNets/subnets

So, the service becomes protected at the network level.

2. How Service Endpoints Work

When you enable a Service Endpoint on a subnet:

  1. The subnet is configured to allow direct connectivity to a specific Azure service.
  2. The Azure service is configured to allow traffic only from that VNet/subnet.
  3. Traffic from the VNet to the service:
    • Does not leave Microsoft’s backbone network.
    • Is identified by the VNet/subnet identity.

Important points:

  • The service still has a public IP.
  • DNS does not change.
  • No private IP is assigned to the service inside your VNet.
  • The service firewall is used to allow or deny VNets.

3. When Should You Use a Service Endpoint?

This is the most important part for the exam.

You should choose a Service Endpoint when:

1. You Want Simple Network-Level Protection

If your requirement is:

  • “Allow only specific VNets/subnets to access Azure Storage”
  • “Block all other public access”

Service Endpoints are suitable.

Example (IT scenario):
A company has application servers in a VNet. These servers access Azure Storage. The security team wants to ensure that:

  • Only that VNet can access the storage account.
  • No external internet traffic can access it.

Service Endpoint is a good choice.

2. You Do Not Need a Private IP in the VNet

Service Endpoints do NOT:

  • Create a private IP inside your VNet.
  • Use Private DNS.
  • Hide the public endpoint.

If you do NOT need a private IP for the service inside your subnet, Service Endpoints are sufficient.

If your requirement says:

  • “The service must not be exposed via public endpoint at all.”

Then Service Endpoints are NOT enough. In that case, you must use Private Endpoint (covered in Topic 4.1).

3. You Want Lower Complexity

Service Endpoints are:

  • Easier to configure
  • No need for Private DNS zones
  • No need for extra network interfaces
  • No approval process (like Private Link Service sometimes requires)

So, if the scenario is simple and internal, choose Service Endpoints.

4. You Are Accessing Azure PaaS Services from a VNet

Service Endpoints are mainly used when:

  • VMs inside a VNet access Azure PaaS services.
  • You want to secure that access.

Common supported services include:

  • Azure Storage
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Key Vault
  • Azure Service Bus

Always remember: Service Endpoints work only for supported Azure services.

4. When NOT to Use a Service Endpoint

For the exam, understanding limitations is very important.

1. When You Need Private IP Addressing

If the requirement says:

  • “The service must have a private IP inside the VNet.”
  • “The public endpoint must be completely disabled.”

Then use Private Endpoint, not Service Endpoint.

Service Endpoints:

  • Still use public endpoint.
  • Do not remove public access automatically.

2. When Access Is Needed from On-Premises via VPN or ExpressRoute

Service Endpoints:

  • Work from Azure VNet to Azure service.
  • They do NOT secure traffic coming from on-premises networks directly.

If the requirement says:

  • “On-premises users must access Azure Storage privately”
  • “Traffic must not use public endpoint at all”

Then Service Endpoint is NOT the correct solution. Use Private Endpoint.

3. When You Need Cross-Tenant or Cross-Subscription Isolation

Service Endpoints:

  • Protect based on VNet/subnet.
  • Do not provide full isolation like Private Link.

If the exam scenario emphasizes:

  • Strong isolation
  • Elimination of public exposure
  • Cross-tenant secure publishing

Then Service Endpoint is likely not correct.

5. Service Endpoint vs Private Endpoint (Exam Comparison)

This comparison is very important for AZ-700.

FeatureService EndpointPrivate Endpoint
Uses public endpoint?YesNo
Private IP inside VNet?NoYes
Requires Private DNS?NoYes (usually)
Simpler setup?YesMore complex
Full isolation from internet?NoYes
Best for basic VNet restriction?YesNot necessary

If the requirement is basic restriction from VNet → choose Service Endpoint.
If the requirement is complete private access → choose Private Endpoint.

6. Configuration Overview (High-Level Steps)

You should know the general steps:

  1. Go to the VNet.
  2. Select the subnet.
  3. Enable Service Endpoint for a specific service (e.g., Microsoft.Storage).
  4. Go to the Azure service (e.g., Storage account).
  5. Configure firewall settings:
    • Allow selected networks.
    • Add the VNet/subnet.

After this:

  • Only traffic from that subnet is allowed.
  • Other public traffic is blocked (if configured).

7. Security Considerations

For the exam, remember:

  • Service Endpoints secure traffic at the network layer.
  • They work together with:
    • NSGs (Network Security Groups)
    • Service firewalls
  • They reduce exposure to the internet but do not remove the public endpoint.

Also:

  • Traffic stays within the Azure backbone network.
  • It reduces data exfiltration risks if properly configured.

8. Common Exam Question Patterns

You may see questions like:

  1. “VMs in a VNet must securely access Azure Storage. Public access should be blocked except from that VNet. Minimal complexity required.”

Correct answer: Service Endpoint.

  1. “The service must have a private IP and not be accessible via public endpoint.”

Correct answer: Private Endpoint.

  1. “On-premises users must privately access Azure SQL without using public endpoint.”

Correct answer: Private Endpoint.

9. Key Points to Remember for AZ-700

  • Service Endpoints extend VNet identity to Azure PaaS services.
  • They use public endpoint but secure it.
  • No private IP is created.
  • Simpler than Private Endpoint.
  • Best for restricting Azure service access to specific VNets.
  • Not suitable when full private isolation is required.

Final Summary (For Quick Revision)

Use Service Endpoint when:

  • You want to restrict Azure PaaS service access to specific VNets/subnets.
  • You do not need a private IP for the service.
  • You want a simple, low-complexity solution.
  • Public endpoint can still exist but must be restricted.

Do NOT use Service Endpoint when:

  • You need complete private access.
  • You must remove public endpoint exposure.
  • On-premises users must access the service privately.
  • Strong isolation is required.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by