Configure and manage virtual networks in Azure
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What Are Azure Service Endpoints?
A Service Endpoint extends your VNet identity to an Azure PaaS service.
This means:
- Traffic from your VNet to the PaaS service stays on the Azure backbone network, not the public internet.
- You can restrict the PaaS service’s firewall to allow only your VNet/subnet.
Key Characteristics of Service Endpoints
| Feature | Description |
|---|---|
| Connectivity | Uses Azure backbone (NOT private IP) |
| PaaS service IP | Still a public IP |
| VNet Integration | Associates a subnet with the PaaS service |
| Security | Restrict service access to specific VNets/subnets |
| DNS | No DNS changes needed |
| Cost | Free |
How Service Endpoints Work (Simple Explanation)
Even though the service still has a public IP, Azure recognizes that your request comes from a subnet with a configured service endpoint.
It then treats your VNet as a trusted source.
Think of it as tagging your subnet so the PaaS service recognizes it and allows direct access.
2. When Should You Use Service Endpoints?
Service endpoints are a good choice when:
- You want simple, fast setup.
- You’re okay with the PaaS service keeping its public IP address.
- You do NOT need a private IP for the service.
- You want to stop access from the public internet but allow trusted VNets.
- You want better performance with lower network hops.
Common Use Cases
- A VM in a VNet needs secure access to Azure Storage.
- An application subnet must securely access Azure SQL Database.
- You want to lock down Azure Storage to only one or more specific subnets.
3. How to Configure Service Endpoints
Step 1: Enable Service Endpoint on Your Subnet
- Go to your VNet → Subnets.
- Select the subnet.
- Under Service Endpoints, choose the PaaS service you want (e.g., Microsoft.Storage, Microsoft.Sql).
- Save.
Step 2: Configure Firewall Rules on the PaaS Service
Example for Azure Storage:
- Open Storage Account → Networking.
- Choose Selected networks.
- Add the VNet/subnet that has the service endpoint enabled.
Now only your VNet can access the service.
4. What Are Azure Private Endpoints?
A Private Endpoint creates a private IP address inside your VNet for the PaaS service.
This means:
- The service is accessed through your private IP.
- The PaaS service becomes part of your internal network.
- There is no public exposure at all (when public access is disabled).
Key Characteristics of Private Endpoints
| Feature | Description |
|---|---|
| Connectivity | Private IP from your VNet |
| PaaS service IP | Private IP (no public path) |
| Security | Highest level; remove internet access completely |
| DNS | Required for correct name resolution |
| Network Isolation | True private access |
| Cost | Private Link has additional cost |
How Private Endpoints Work (Simple Explanation)
Azure creates a network interface (NIC) inside your VNet.
This NIC gets a private IP and is linked to the PaaS service.
When your apps connect to the PaaS service DNS name, Azure redirects the connection to the private IP in your VNet.
5. When Should You Use Private Endpoints? (Exam Focus)
Use private endpoints when:
- You need complete isolation from the public internet.
- Your security requirements demand private IP access only.
- You want PaaS services to behave as if they are inside your VNet.
- You need granular access controls using NSGs (if using Private Endpoint subnet).
- You want cross-region secure private access.
Common Use Cases
- A company wants private access to SQL Database without any public exposure.
- Accessing Storage Account from on-premises using a private IP via VPN or ExpressRoute.
- A web application in VNet accessing Key Vault securely with no public endpoint.
6. How to Configure a Private Endpoint
Step 1: Create Private Endpoint
- Go to the PaaS service (Storage, SQL, Key Vault, etc.).
- Select Networking → Private Endpoint Connections.
- Click Add.
- Choose your VNet and subnet.
- Azure creates a NIC in your chosen subnet with a private IP.
Step 2: Configure DNS
Private Endpoint requires proper DNS resolution.
You can use:
- Azure-provided private DNS zone (recommended)
- Custom DNS servers
- On-prem DNS integrated with Azure
Azure automatically links the DNS zone to your VNet if you choose the automatic option.
Step 3: Disable Public Access (Optional but Recommended)
To fully lock down:
- In the PaaS service networking settings, disable public access.
7. Service Endpoints vs Private Endpoints (Important for AZ-104 Exam)
| Feature | Service Endpoints | Private Endpoints |
|---|---|---|
| IP Type | Public IP of the service | Private IP inside VNet |
| Exposure | Service still has a public endpoint | No public access required |
| Security | Good | Strong (best option) |
| DNS | Not needed | Required |
| Cost | Free | Paid (Private Link) |
| Complexity | Simple | More complex |
| On-premises access via VPN/ExpressRoute | Not supported | Supported |
| Access control | VNet/subnet-based | Private IP-based |
Exam Tip:
If the requirement says:
- “No public endpoint” → Private Endpoint
- “Secure traffic but okay with public endpoint existing” → Service Endpoint
8. PaaS Services That Support Service Endpoints and Private Endpoints
Common Services Supporting Service Endpoints
- Azure Storage
- Azure SQL Database
- Azure Key Vault
- Cosmos DB
- Azure Event Hub
- Azure Service Bus
- Azure App Service (some scenarios)
Common Services Supporting Private Endpoints
- Azure Storage
- Azure SQL Database
- Azure Key Vault
- Cosmos DB
- Web Apps (Private Link)
- Azure Search
- Azure Machine Learning
- Many more (Private Link supports 100+ services)
9. Security Considerations
For Service Endpoints
- NSGs still work normally.
- Service endpoint traffic bypasses NAT.
- Restrict access at the service firewall.
For Private Endpoints
- PaaS service is reachable only via the private IP.
- NSGs do NOT apply directly to private endpoint NICs (important exam fact).
NSGs apply to the subnet, but you cannot block traffic to the private endpoint itself using NSGs. - Public endpoint can be disabled completely.
10. Common Exam Scenarios and Answers
Scenario 1
“You need Azure Storage access from a VNet. Public endpoint must stay available for other clients.”
→ Use Service Endpoint.
Scenario 2
“A database must only be reachable from on-premises via VPN or ExpressRoute.”
→ Use Private Endpoint.
Scenario 3
“You must remove ALL public access to the PaaS service.”
→ Use Private Endpoint and disable public network access.
Scenario 4
“You need a simple setup to secure a PaaS service with minimal cost.”
→ Choose Service Endpoint.
Scenario 5
“Application needs private IP access to Key Vault.”
→ Use Private Endpoint.
11. Summary for AZ-104 Exam Preparation
To pass the exam, remember:
✔ Service Endpoints
- Keep public IP
- No cost
- Improve security
- Easy to configure
- Does NOT provide private IP
✔ Private Endpoints
- Provide private IP
- Highest security level
- Can disable public access completely
- Require DNS configuration
- Higher cost and complexity
If the requirement mentions private IP, no public internet, on-premises access, the answer is almost always Private Endpoint.
