Private Endpoints & Service Endpoints
Secure access to Azure PaaS services from your VNet โ without exposing them to the internet
๐ก Intermediate
โฑ 15 Minutes
๐ AZ-104 ยท Module 04
Why This Matters
You've locked down your VNets with NSGs and routing. But what about Azure services like Azure Storage or SQL Database? By default, they have public endpoints accessible from anywhere. Private Endpoints and Service Endpoints let you access Azure services securely from your VNet without exposing them to the internet.
Before You Start
| Prerequisites | VNets & Subnets, Network Security Groups |
|---|
| Time to understand | 15 minutes |
|---|
| Difficulty | ๐ก Intermediate (builds on VNets and NSGs) |
|---|
| What you'll learn | Private Endpoints vs. Service Endpoints, when to use each, how they work |
|---|
The Simple Idea: The Problem
By default, Azure PaaS services are public. A VM in your VNet that needs to reach Azure SQL Database will, by default, route over the internet to the service's public endpoint.
That means traffic is visible on the internet (bad for security) and creates potential for man-in-the-middle attacks.
Goal: Access SQL from a VM without exposing it to the internet.
Your VNet (10.0.0.0/16)
โโโ VM-A (10.0.1.5) wants to use Azure SQL Database
โโ Default: SQL has public endpoint (database.database.windows.net)
โโ Traffic: 10.0.1.5 โ Internet โ SQL public endpoint โ
โโ Traffic visible on internet (bad for security)
โโ Potential for man-in-the-middle attacks
Goal: Access SQL from VM without exposing it to internet
Two Solutions
| Solution | How | Security | Cost |
|---|
| Service Endpoint | Direct route to service (remains public) | Good (routes through Azure backbone) | Free |
| Private Endpoint | Private IP in your VNet | Excellent (no internet exposure) | Paid (~$1/month) |
Solution 1: Service Endpoints
What Is a Service Endpoint?
Service Endpoint = Direct route from your VNet to an Azure service, using Azure's internal backbone (not the internet).
Real-World Analogy: Private Warehouse Door
Azure SQL Database is like a public building with multiple doors. The main entrance (public endpoint) is reachable by anyone from the internet โ insecure. The special warehouse door (service endpoint) is only accessible from authorized VNets, via a direct route through Azure's internal network โ more secure.
Azure SQL Database (Public building with multiple doors)
โโโ Main entrance (public endpoint)
โ โโ Anyone from internet can reach
โ โโ Insecure โ
โ
โโโ Special warehouse door (service endpoint)
โโ Only accessible from authorized VNets
โโ Direct route through Azure internal network
โโ More secure โ
How Service Endpoints Work
Step 1: Create Service Endpoint
Subnet โ Service Endpoints โ Select "Microsoft.Storage"
โโ Azure configures automatic route
Step 2: System Route Created
Subnet's routing table now has:
Destination: Storage endpoint
Next Hop: Service Endpoint (Microsoft backbone)
Step 3: Traffic Flows Securely
VM-A (10.0.1.5) โ Storage service
โโ Routing: Service Endpoint route selected
โโ Path: Direct through Azure backbone (not internet)
โโ Still travels through public internet for other traffic
Service Endpoint Configuration
Step 1: Enable Service Endpoint in VNet/Subnet
Azure Portal โ VNet โ Subnet โ Service endpoints
โโ Select: Microsoft.Storage, Microsoft.Sql, etc.
Step 2: Add Firewall Rule to Storage
Storage Account โ Firewall & Virtual Networks
โโ Add VNet and subnet
โโ Result: Only traffic from this VNet allowed
Step 3: Test
VM in subnet โ Storage account (now works securely) โ
Service Endpoint Limitations
Service Endpoint:
โโ โ Free (no extra cost)
โโ โ Quick to set up (minutes)
โโ โ Service still has public endpoint (accessible from internet if allowed)
โโ โ Only works with some Azure services
โ โโ Supported: Storage, SQL Database, Cosmos DB, Key Vault, App Service
โ โโ Not supported: Some older services
โโ โ No private IP (routes to service's public IP, but via Azure backbone)
Solution 2: Private Endpoints
What Is a Private Endpoint?
Private Endpoint = A private IP address in your VNet that connects to an Azure service (the service gets a private IP from your VNet's address space).
Real-World Analogy: Private Branch Location
Azure SQL Database is like a headquarters. The main office (public endpoint) is visited by anyone โ insecure. A private branch office inside your own building (private endpoint) can only be visited by your employees; no one from outside can reach it โ maximum security.
Azure SQL Database (Headquarters)
โโโ Main office (public endpoint)
โ โโ Anyone can visit
โ โโ Insecure โ
โ
โโโ Private branch office inside your building (private endpoint)
โโ Only your employees can visit (same building)
โโ No one from outside can reach it
โโ Maximum security โ
How Private Endpoints Work
Step 1: Create Private Endpoint
Subnet โ Private Endpoints โ Add
โโ Resource: Azure SQL Database
โโ VNet/Subnet: Which subnet gets the private IP?
Step 2: Private IP Created
Subnet's address space: 10.0.2.0/24
โโ Azure assigns private IP from this range
โโ Example: 10.0.2.10 becomes the SQL Database endpoint
โโ This IP is NOT publicly accessible
Step 3: Private DNS Zone
Azure creates private DNS record:
โโ database.database.windows.net โ 10.0.2.10 (private IP)
โโ VM in VNet resolves this automatically
โโ VM connects to 10.0.2.10 (private connection)
Step 4: Traffic Flows Privately
VM-A (10.0.1.5) โ Private endpoint (10.0.2.10)
โโ Routing: Matches local VNet route
โโ Path: Internal VNet connection (never leaves your network) โ
Private Endpoint Configuration
Step 1: Create Private Endpoint
Resource Group โ Private Endpoints โ Create
โโ Resource: Azure SQL Database
โโ VNet: Your-VNet
โโ Subnet: Your subnet (private IP will come from here)
โโ DNS: Auto-register in private DNS zone โ
Step 2: Firewall Configuration
Storage Account โ Firewall & Virtual Networks
โโ Default action: Deny (block all public access)
โโ Private Endpoints: Auto-allowed (doesn't need rule)
Step 3: Test
VM in VNet โ Can reach storage via private endpoint
Internet โ Cannot reach storage (completely private) โ
Comparison: Service Endpoint vs. Private Endpoint
| Aspect | Service Endpoint | Private Endpoint |
|---|
| Private IP in VNet | โ No (routes to service's public IP) | โ
Yes (service gets IP from your subnet) |
| Accessible from internet | โ ๏ธ Yes (if firewall allows) | โ No (completely private) |
| Cost | Free | ~$1/month per endpoint |
| Setup time | Fast (minutes) | Moderate (10-15 min) |
| Supported services | Limited set | Broader support |
| DNS | Public DNS (service.region.azure.com) | Private DNS zone |
| Bandwidth cost | No extra charge | No extra charge |
| Best for | Quick, low-risk internal access | Production, high-security |
Decision Tree
Need to access Azure PaaS service securely?
โ
โโ VPN/ExpressRoute connected?
โ โ
โ โโ NO โ Use Service Endpoint (simplest, free)
โ โ โโ "Secure enough" for most non-critical workloads
โ โ
โ โโ YES โ Can you route to service's IP via VPN?
โ โโ NO (service doesn't support routing) โ Service Endpoint
โ โโ YES โ Choose:
โ โโ Quick/Free: Service Endpoint โ
โ โโ Secure: Private Endpoint โ
โ โโ Both: Set up Private Endpoint for production
โ
โโ Need maximum security?
โโ YES โ Use Private Endpoint โ
โโ Service completely hidden from internet
Worked Example: Real Scenario
The Scenario
TechCorp has:
- Azure VNet: 10.0.0.0/16
- Dev Subnet: 10.0.1.0/24 (development VMs)
- Production Subnet: 10.0.2.0/24 (production VMs)
- Azure Storage Account for application data
- Azure SQL Database for app data
Goal: Access both securely from VMs without exposing to internet.
Phase 1: Service Endpoints for Development
Dev environment (not critical):
โโ Create Service Endpoints on Dev Subnet
โ โโ Microsoft.Storage
โ โโ Microsoft.Sql
โ โโ Configuration time: 5 minutes
โ
โโ Storage Account Firewall
โ โโ Add Dev VNet/Subnet as allowed
โ
โโ SQL Database Firewall
โ โโ Add Dev VNet/Subnet as allowed
โ
โโ Result:
โโ Dev VMs can access Storage and SQL
โโ Traffic routes through Azure backbone
โโ Cost: $0 (free)
โโ Security: Good (internal routing) โ
Phase 2: Private Endpoints for Production
Production environment (critical):
โโ Create Private Endpoint 1 (Storage)
โ โโ Resource: Storage Account
โ โโ VNet: Your-VNet
โ โโ Subnet: Prod Subnet (10.0.2.0/24)
โ โโ Private DNS zone: Auto-created
โ โโ Result: Storage has private IP in subnet
โ
โโ Create Private Endpoint 2 (SQL)
โ โโ Resource: SQL Database
โ โโ VNet: Your-VNet
โ โโ Subnet: Prod Subnet (10.0.2.0/24)
โ โโ Private DNS zone: Auto-created
โ โโ Result: SQL has private IP in subnet
โ
โโ Firewall Configuration
โ โโ Storage: Default deny (public), private endpoint allowed
โ โโ SQL: Default deny (public), private endpoint allowed
โ โโ Result: No internet access possible
โ
โโ Result:
โโ Prod VMs can access Storage and SQL via private IPs
โโ Traffic never leaves VNet (maximum security) โ
โโ Internet cannot reach these services
โโ Cost: ~$2/month for 2 endpoints
โโ Security: Excellent (completely private) โ
Phase 3: Traffic Isolation
DNS Resolution:
โโ Dev VM DNS: storage.azure.com โ 40.88.100.5 (public)
โ โโ Resolution: Public IP (resolves through internet DNS)
โ
โโ Prod VM DNS: storage.azure.com โ 10.0.2.10 (private)
โโ Resolution: Private IP (resolves through private DNS zone)
Traffic paths:
โโ Dev VM โ Storage: 10.0.1.5 โ 40.88.100.5 (internet path)
โ โโ Service Endpoint: Route directly through Azure backbone
โ โโ Firewall allows only from VNet
โ
โโ Prod VM โ Storage: 10.0.2.5 โ 10.0.2.10 (VNet path)
โโ Private Endpoint: Routes locally within VNet
โโ Never reaches internet โ
Common Mistakes (What NOT to Do)
โ Mistake 1: Relying on Service Endpoint Alone for Sensitive Data
Wrong
Service Endpoint created for SQL Database:
โโ Routes through Azure backbone โ
โโ But SQL is still publicly accessible
โโ Competitor discovers public IP address
โโ Competitor uses their own VNet with Service Endpoint
โโ Competitor can access the database โ
Fix
For sensitive data:
โโ Use Private Endpoint instead
โโ Disable public endpoint completely
โโ Result: Only your VNet can access it โ
Why it fails: Service Endpoint doesn't hide the public endpoint.
โ Mistake 2: Private Endpoint Without Proper DNS
Wrong
Private Endpoint created for SQL (10.0.2.10):
โโ Application code: "Connect to database.database.windows.net"
โโ DNS resolution: Resolves to 40.88.100.5 (public IP)
โโ Firewall: Allows only private endpoint
โโ Result: Connection fails โ
Fix
Create private DNS zone:
โโ database.database.windows.net โ 10.0.2.10
โโ VNet linked to private DNS zone
โโ Now: DNS resolves to 10.0.2.10 (private IP)
โโ Connection uses private endpoint โ
Why it fails: DNS resolves to public IP, but firewall blocks it.
โ Mistake 3: Creating Private Endpoint in Wrong Subnet
Wrong
Prod Subnet: 10.0.2.0/24 (prod workloads)
Dev Subnet: 10.0.1.0/24 (dev workloads)
Create Private Endpoint in Subnet 10.0.1.0/24:
โโ Prod workloads in 10.0.2.0/24 try to access database
โโ DNS: Resolves to private endpoint IP (10.0.1.10)
โโ Routing: 10.0.2.5 โ 10.0.1.10 (different subnet)
โโ Works but not optimal โ ๏ธ
โโ Better: Private endpoint in same subnet as clients
Fix
Create Private Endpoint in prod subnet:
โโ Private Endpoint IP: 10.0.2.10 (same subnet as clients)
โโ Prod workload (10.0.2.5) โ 10.0.2.10 (local)
โโ Lower latency, cleaner routing โ
Why it fails: Not a complete failure, but adds latency and complexity.
Service Endpoint vs. Private Endpoint Checklist
Choosing between them:
โก For development/non-critical:
โโ Service Endpoint usually sufficient
โโ Lower cost (free)
โโ Quick to set up
โโ Good balance of security and simplicity
โก For production/sensitive data:
โโ Use Private Endpoint
โโ Highest security (private IP)
โโ Public endpoint can be completely disabled
โโ Worth the small monthly cost
โก Hybrid approach:
โโ Service Endpoints: External/non-critical services
โโ Private Endpoints: Internal/sensitive services
โโ Both: Some organizations use both for defense-in-depth
โก If using Private Endpoint:
โโ Create private DNS zone (auto-done)
โโ Link DNS zone to VNet
โโ Disable public endpoint on storage
โโ Test: Confirm private endpoint works, public fails โ
โก If using Service Endpoint:
โโ Enable on subnet(s) where workloads exist
โโ Add VNet/subnet to storage firewall
โโ Storage still has public endpoint
โโ Consider: Is this sufficient for security requirements? โ
How This Connects to Other Topics
Related to Module 01 (Identity & Governance)
- RBAC: Only admins can create/manage Private Endpoints
Related to Module 02 (Storage)
- Storage Security: Private Endpoints secure storage access
- Storage Firewall: Works with both Service and Private Endpoints
Related to Module 03 (Compute)
- VM Access to Services: VMs use Private/Service Endpoints to reach PaaS
Related to Module 05 (Monitor)
- Monitor Endpoint: Track Private Endpoint connections
See It In Action
Associated labs:
Suggested learning sequence:
- โ
Read VNets & Subnets
- โ
Read Network Security Groups
- โ
Read VPN & ExpressRoute
- โ
Read this doc (Private Endpoints & Service Endpoints)
- โ
Work through Lab 17 (Service Endpoints hands-on)
- โ
Work through Lab 18 (Private Endpoints hands-on)
Key Takeaways
๐ก Summary
- Service Endpoint = free route to service (good, not perfect)
- Private Endpoint = private IP in your VNet (best security)
- Service Endpoint: Suitable for non-critical, internal-only traffic
- Private Endpoint: For sensitive data, production workloads
- Private DNS zone: Required for Private Endpoints to work seamlessly
- Firewall integration: Both work with storage/service firewalls
- Public endpoint: Can be disabled entirely with Private Endpoints
- Cost: Service Endpoint free, Private Endpoint ~$1/month
Next Steps
- Learn: Read this doc (you're here)
- Understand: When to use each (decision tree above)
- Practice: Lab 17: Service Endpoints
- Practice: Lab 18: Private Endpoints
- Secure: Disable public endpoints for sensitive services
- Monitor: Track endpoint usage and security