4.2 Service Endpoints
📘Microsoft Azure Networking Solutions (AZ-700)
1. Introduction to Service Endpoints
In Microsoft Azure, a Service Endpoint allows a subnet in a Virtual Network (VNet) to securely connect to Azure platform services using the Azure backbone network instead of the public internet.
Supported services include:
- Microsoft Azure
- Azure Storage
- Azure SQL Database
- Azure Cosmos DB
- Azure Key Vault
- Azure Service Bus
When you configure access to service endpoints, you control which VNets and subnets are allowed to access a specific Azure service.
2. What Does “Configure Access to Service Endpoints” Mean?
Configuring access means:
- Enabling the service endpoint on a subnet.
- Restricting the Azure service so it accepts traffic only from selected VNets/subnets.
- Blocking public internet access (if required).
- Applying additional rules such as IP filtering.
This ensures that:
- Only approved internal resources can connect.
- Unauthorized networks cannot access the service.
- Traffic stays inside the Microsoft network.
3. How Service Endpoint Access Works (Technical Flow)
Let’s understand what happens technically:
- A VM inside a subnet tries to access Azure Storage.
- The subnet has a service endpoint enabled for Storage.
- Azure automatically:
- Extends the subnet identity to Azure Storage.
- Adds a system route to the Azure backbone.
- Azure Storage firewall checks:
- Is this subnet allowed?
- If yes → allow access.
- If no → deny access.
Important:
The service still has a public IP, but access is restricted to approved VNets.
4. Steps to Configure Access to Service Endpoints
Step 1: Enable Service Endpoint on Subnet
Go to:
Virtual Network → Subnets → Select Subnet → Service Endpoints → Add
Choose service (for example, Microsoft.Storage).
This allows the subnet to identify itself to that Azure service.
Step 2: Configure Service Firewall
Now go to the Azure service (e.g., Storage Account):
Storage Account → Networking → Firewalls and virtual networks
Under:
Selected networks
You can:
- Add Virtual Network
- Select the VNet and subnet
- Save configuration
Now only selected VNets can access the service.
5. Important Firewall Configuration Options
When configuring access, you will see these options:
1. Allow All Networks
- Anyone can access (default)
- Not secure for production
2. Selected Networks
- Only chosen VNets/subnets can access
- Recommended for secure environments
3. Private Endpoint Only
- Used when Private Link is implemented (not service endpoints)
6. Service Endpoint Policies (Very Important for Exam)
A Service Endpoint Policy gives more granular control.
Example:
Instead of allowing a subnet to access all storage accounts, you can restrict it to:
- Only specific storage accounts
- Only specific Azure resources
This prevents users from accessing unauthorized storage accounts in the same region.
Key Points:
- Applied at subnet level.
- Only supported for Azure Storage.
- Adds additional filtering layer.
- Controls which storage accounts can be accessed.
7. Network Security Groups (NSGs) and Service Endpoints
Service endpoints work together with NSGs.
You can:
- Allow traffic only to specific service tags.
- Use service tags like:
- Storage
- Sql
- CosmosDB
Example rule in NSG:
- Destination: Storage
- Action: Allow
This ensures outbound traffic only goes to Azure Storage.
8. User Defined Routes (UDRs) and Service Endpoints
Important for exam:
- Service endpoints automatically add system routes.
- You cannot override them with UDRs.
- Traffic to Azure service always goes through Azure backbone.
If forced tunneling is configured:
- Traffic to service endpoint still stays in Azure network.
9. Limitations of Service Endpoints
You must know these for AZ-700:
- Works only within same Azure region.
- Service still uses public endpoint.
- Cannot be accessed from on-premises via service endpoint.
- Does not provide private IP inside VNet.
- Supported only by specific Azure services.
- Cannot restrict to specific private IP — only subnet level.
10. Service Endpoints vs Private Endpoints (Exam Comparison)
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Uses public IP | Yes | No |
| Private IP in VNet | No | Yes |
| Works from on-premises | No | Yes |
| Simpler to configure | Yes | Slightly complex |
| Most secure | Moderate | Highest |
Private Endpoint is part of Azure Private Link.
11. Common Exam Scenarios
Scenario 1:
You must restrict Azure Storage access to only one subnet.
Solution:
- Enable service endpoint on subnet.
- Configure Storage firewall to Selected Networks.
- Add that subnet.
Scenario 2:
Users can access other storage accounts in the same region. Restrict access to only one specific storage account.
Solution:
- Configure Service Endpoint Policy.
Scenario 3:
You need private IP access and on-premises connectivity.
Service Endpoint is NOT correct.
Use Private Endpoint.
12. Security Best Practices
For exam and real-world IT environments:
- Always use “Selected Networks”
- Disable public network access if possible
- Combine with NSGs
- Use service endpoint policies for Storage
- Monitor using Azure Monitor logs
- Apply least privilege principle
13. Monitoring and Logging
You can monitor access using:
- Diagnostic settings
- Azure Monitor
- Storage account logs
- Network Watcher
Logs help detect unauthorized access attempts.
14. Important Exam Tips (AZ-700 Focus)
You must remember:
✔ Service endpoint secures traffic over Azure backbone
✔ Service still has public endpoint
✔ Access restricted via firewall
✔ Subnet-level configuration
✔ Cannot be used from on-premises
✔ Service Endpoint Policy only for Storage
✔ Works only in same region
15. Quick Summary
Configuring access to service endpoints involves:
- Enabling service endpoint on a subnet.
- Configuring the Azure service firewall.
- Selecting allowed VNets/subnets.
- Optionally applying service endpoint policies.
- Combining with NSG rules.
It is used when:
- You want secure VNet-to-Azure-service communication.
- You do not require private IP inside VNet.
- You want simpler configuration than Private Endpoint.
