In this two-part article series, I’ll try to explore a common Azure scenario involving Virtual Network (VNet) Service Endpoints, specifically in the context of Azure Storage. Microsoft already provides extensive documentation on this topic, so you won’t see much detail on that in this article series—it's all available in the MS Docs. Instead, this article will focus on practical considerations, real-world use cases, and the network impacts when using service endpoints in your environment.
📚 Understanding Azure Service Endpoints
Service Endpoints offer secure, private connectivity between virtual networks and Azure PaaS services, such as Azure Storage, by utilizing the Azure backbone network. Microsoft highlights that service endpoints help optimize both performance and security by keeping traffic within Azure’s infrastructure, thus eliminating the need for routing traffic over the public internet.
🚀 Benefits of Service Endpoints
- Enhanced Security: With service endpoints, traffic remains within Azure’s private backbone network, reducing exposure to the public internet.
- Optimized Performance: Service endpoints provide direct, low-latency connectivity without any internet exposure, ensuring faster and more reliable access to your Azure resources.
- Whitelisting the Service: In the storage account, you can select specific subnets that are allowed to access the storage account. This means that only those selected subnets can connect to the storage account, and the subnet must have Service Endpoints enabled for Azure Storage to ensure secure connectivity.
⚠️ Important Considerations
Routing Behavior Change: When you add service endpoints to a subnet, it changes the routing behavior for the associated services. Specifically, additional routes are injected into the subnet, which means that even if you have User Defined Routes (UDRs) configured to force traffic through a hub firewall for ingress or egress traffic, the service endpoint routes take precedence. This means the traffic could bypass your firewall, and you may lose visibility into the traffic for monitoring and traceability purposes.
Monitoring Challenges: Since service endpoints introduce new routes, monitoring and logging tools might lose track of endpoint-routed traffic. To trace this traffic, you must identify the source (in this case, the subnet). However, the traffic could go to any storage account on the Microsoft side, so you may not be able to track it effectively.
🔒 When to Choose Private Endpoints Instead
While service endpoints simplify network architecture, Private Endpoints are often the better choice when strong security, compliance, and full traffic control are required. Private endpoints offer a fully isolated connection to your services, providing better control over traffic and visibility into network activity.
However, private endpoints do come with challenges, such as name resolution complexities and additional costs. But unless there’s a specific need to use service endpoints, Private Endpoints should generally be the default choice for securing Azure PaaS services like storage.
🛠️ Practical Use Cases and Identifying Service Endpoint Usage
Case 1: Virtual Machines Accessing Azure Storage
When virtual machines in a subnet access Azure Storage through service endpoints:
- Security improves because traffic stays within the Azure backbone network.
- However, traffic traceability and auditing become difficult, meaning you need additional monitoring and logging solutions.
- In a hub-and-spoke architecture, VM traffic will bypass the hub's firewall. This means egress traffic must be inspected at the spoke or subnet level.
- Insights can be gathered from the storage account itself, but logging and monitoring for sub-services (e.g., Azure Storage logs) need to be enabled to gain full visibility of the traffic.
Case 2: Subnet Delegation for PaaS Services
For subnets delegated to Azure App Services, Azure Container Instances, or other PaaS services, service endpoints provide secure connectivity to other Azure resources:
- Traffic must be inspected by Azure Firewall or NVAs to ensure compliance with your security policies.
- Proper access control rules should be configured to prevent unintended access across different subscriptions or tenants. This ensures that access to storage is granted only where it’s explicitly required.
I can generate more use cases and scenarios based on your requirements and needs. But for now, these are the most common you might encounter and need to address.
What’s Next?In Part 2, we’ll dive deeper into monitoring, specifically how to identify service endpoint usage with KQL and how you can track traffic through service endpoints effectively.