Using Service Endpoints

This lesson explains how to privately connect Azure VMs to Azure PaaS services using:

Azure Virtual Network Service Endpoints

Service Endpoints allow secure connectivity from a VNet to Azure PaaS services without exposing traffic over the public internet.

1️⃣ The Problem Service Endpoints Solve#

In Azure:

• VMs live inside Virtual Networks (VNets)
• PaaS services (like Storage, SQL) have public endpoints by default

Example:

• VM (private IP) → Storage Account (public endpoint)

Without service endpoints:

• VM must access storage via public IP
• Traffic goes over internet (even though it stays within Azure)
• VM may require outbound public IP

This creates:

• Larger attack surface
• Security concerns
• Complex firewall configurations

2️⃣ What Service Endpoints Do#

Service Endpoints:

• Are enabled on a subnet
• Work for specific Azure resource providers
• Route traffic over the Microsoft Backbone
• Keep traffic inside Azure’s private network

Important:

• ⚠ It still uses the public endpoint of the PaaS service ⚠ It does NOT create a private IP for the service ⚠ It does NOT place the service inside your VNet
• It simply changes the route to use Azure’s internal backbone.

3️⃣ How It Works Internally#

Without Service Endpoint:

• VM → Default route (0.0.0.0/0) → Internet → Storage public endpoint

With Service Endpoint:

• VM → System route (Service Endpoint) → Microsoft Backbone → Storage public endpoint
• Traffic stays within Azure network.

4️⃣ Key Concepts (Exam Critical)#

A. Enabled at Subnet Level#

You enable service endpoints on:

• Virtual Network → Subnet → Service Endpoints

Not on:

• Individual VM
• Individual NIC
• All resources in that subnet benefit.

B. Resource Provider Based#

You choose:

• Microsoft.Storage
• Microsoft.Sql
• Microsoft.KeyVault
• etc.

Important:

If you enable:

• Microsoft.Storage
• It applies to ALL storage accounts, not just one specific storage account.

C. Effective Routes Validation#

After enabling service endpoint:

Go to:

• NIC → Effective Routes

You will see:

• A new system route
• Destination = Azure service
• Next hop = VirtualNetworkServiceEndpoint
• This confirms backbone routing.

5️⃣ Demonstration Summary#

Steps performed:

• Created Storage Account
• Enabled Microsoft.Storage service endpoint on subnet
• Waited for propagation
• Checked NIC → Effective Routes
• Verified new system route appeared

Result:

• VM traffic to Storage now uses: Microsoft Backbone instead of internet route.

6️⃣ Security Implications#

Service Endpoints improve security by:

• ✔ Eliminating need for VM public IP for outbound access ✔ Keeping traffic inside Azure network ✔ Allowing Storage firewall to restrict access to specific VNets

Important:

To fully secure:

• Configure Storage Account firewall
• Allow only selected VNets
• Otherwise, storage is still publicly accessible.

7️⃣ Service Endpoints vs Private Endpoints#

• This is a common exam question.

If question says:

• “Assign private IP to storage” → Private Endpoint
• “Secure backbone access only” → Service Endpoint

8️⃣ When to Use Service Endpoints#

Use when:

• Need simple secure access to Azure PaaS
• Want to restrict PaaS access to specific VNets
• Don’t need private IP for service
• Want lower complexity than Private Endpoint

9️⃣ Limitations#

• Works only within Azure region (mostly)
• Still public endpoint
• Does not remove public DNS resolution
• Not ideal for strict zero-trust architectures
• For stronger isolation: Use Private Endpoints.

🔟 Supported Azure Services#

Common services:

• Microsoft.Storage
• Microsoft.Sql
• Microsoft.KeyVault
• Microsoft.EventHub
• Microsoft.ServiceBus
• Microsoft.AzureActiveDirectory

11️⃣ Service Endpoint Policies (Advanced)#

You can apply:

• Service Endpoint Policies

These:

• Restrict which storage accounts are allowed
• Provide granular control
• Prevent accidental access to unintended storage accounts
• Used in advanced security architectures.

12️⃣ Troubleshooting Checklist#

If Service Endpoint not working:

• Confirm enabled on correct subnet
• Verify VM in that subnet
• Check Effective Routes
• Confirm Storage firewall configured correctly
• Wait for propagation (can take minutes)
• Ensure same region compatibility

13️⃣ Deep Technical Understanding#

When enabled:

• Azure injects a system route into the subnet route table.

Route type:

• VirtualNetworkServiceEndpoint

Priority:

• Overrides default internet route
• Ensures traffic stays internal
• This is automatic. No UDR needed.

14️⃣ Best Practices#

✔ Use Service Endpoints with Storage firewall ✔ Avoid relying on default outbound access ✔ Use NAT Gateway for outbound internet traffic ✔ Use Private Endpoints for high-security workloads ✔ Validate effective routes after enabling

15️⃣ Reference Documentation#

• Service Endpoints Overview
• Configure Service Endpoints
• Storage Firewall with Service Endpoints
• Private Endpoint Overview
• Effective Routes

Exam Memory Hooks#

Service Endpoint = Subnet-level backbone routing Still uses public endpoint No private IP assigned Check effective routes Storage firewall required for full restriction

Final Conceptual Summary#

Service Endpoints:

• Improve security
• Use Microsoft Backbone
• Work at subnet level
• Do not fully privatize PaaS service
• Are simpler than Private Endpoints

If you'd like, I can now create:

• 🧠 30 scenario-based exam questions
• 📊 Comparison chart (Service Endpoint vs Private Endpoint vs NAT)
• 🏗 Hub-spoke architecture example
• 📄 One-page exam cram sheet
• Tell me your target certification (AZ-104, AZ-700, AZ-305?).

Hands-on: Restrict Storage Access to a Subnet with Service Endpoints#

Goal: Allow a subnet to reach a storage account over the Microsoft backbone while blocking other networks.

1. Create or use VNet az104-vnet.
2. Open subnet web-subnet.
3. Enable the Microsoft.Storage service endpoint.
4. Open the target storage account.
5. Go to Networking and choose Selected networks.
6. Add az104-vnet/web-subnet.
7. Save the firewall configuration.
8. From a VM in web-subnet, access the storage account.
9. From a VM in another subnet, test access and confirm it is blocked unless that subnet is also allowed.