Azure - difference between service endpoint and private endpoint in simple terms

Asked 19/9, 2022 at 6:48 Answered 23/1 at 14:9

Solved azure endpoint azure-virtual-network paas azure-private-link

I am not able to understand the difference between service endpoints and private endpoints clearly.

Need help preferably with an example.

Worthy answered 19/9, 2022 at 6:48 Comment(1)

While this question is old, there's meanwhile a great article from October 2023 at techcommunity.microsoft.com/t5/core-infrastructure-and-security/… that really explains the difference clear and well – Nonpareil 31/12, 2023 at 14:19

You might have seen this in the Private Link FAQ:

Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.

A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.

For simplicity, let's take the view of a VM in a VNET connecting to a storage account in the same subscription and same Azure region. There are three ways to connect.

Default

By default all traffic goes against the public endpoint of the storage account. Source IP of the traffic is the Public IP of the VM.
Service Endpoints

Traffic is still directed against the public endpoint of the storage account but the source IP has changed to the private IP of the VM. In fact, the traffic is also using the VNET and Subnet as source in the network dataframe.
Private Endpoints

The PaaS service now gets a virtual network interface inside the subnet and traffic from the VM to the storage account is now directed against the private IP address.

By far the best collection of useful information around Private Link that I have seen on the web is in this repository: https://github.com/dmauser/PrivateLink

You can also find some examples here: https://jeffbrown.tech/azure-private-service-endpoint/

Metamathematics answered 19/9, 2022 at 7:19 Comment(8)

does it mean that the blob storage(which is outsite my vnet) is accessible only to subnet using service endpoints, and will not be accessible to any other resource like ADF because the service endpoint is only configured for the virtual network. – Worthy 20/9, 2022 at 8:8

No, you can still use ADF to connect to your storage account. But if you want to lock down the storage account to limit public access you will need to grant access to trusted azure services (since ADF would be a trusted Azure Service) learn.microsoft.com/en-us/azure/storage/common/… Theoretically (though maybe unlikely) anyone using a 'trusted azure service' could try to connect to your storage account (if they had a key/token). – Metamathematics 20/9, 2022 at 8:13

But you have mentioned - "This essentially gives you the ability to lock down the service from the public internet, except for services from your subnet." in the above explanation and this is really confusing. – Worthy 21/9, 2022 at 9:26

So I am not getting what is the actual difference between the private endpoint and service endpoint – Worthy 21/9, 2022 at 9:32

Okay, I guess I was just adding more confusion to the whole question. :-) I have edited it and visualized it with an example of a VM connecting to a storage account. Does that make more sense? – Metamathematics 21/9, 2022 at 20:44

so using a service endpoint, any service behind a virtual network via its private IP, can access the service outside virtual network on its public IP. – Worthy 26/9, 2022 at 7:46

I was able to do a wget that resolved on my private machine even with a private link endpoint was setup and public access was turned off. I would expect that a private link endpoint would only resolve for other services on the same vnet. Do you have any insight to my misunderstanding here? – Cipher 6/6, 2023 at 18:44

github.com/dmauser/PrivateLink/tree/master/… This seems to indicate the ip resolves differently for external vs internal requests, which kind of makes sense. But why is there external resolution at all? – Cipher 6/6, 2023 at 18:53

-1

We can say Private Endpoint allows you to access Azure services over Private IP address within the VNet and will always ensure traffic stays within your VNet. However, Azure Service Endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Traffic still left your VNet and hit the public endpoint of PaaS service.

Hinch answered 23/1 at 14:9 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Scraper 24/1 at 0:48

Recommended topics

Hot tags