What is Azure backbone Network ?
Microsoft owns and operates one of the largest backbone networks in the world. This global and sophisticated architecture provides connectivity and Cloud services.
What is Endpoint in Azure ?
An endpoint provides remote access to the Azure services. When I say services, I mean Azure Services or a application deployed on a VM. In both of the cases, we need endpoints to access !
What is Virtual Network Service Endpoint in Azure ?
Virtual Network (VNet) Service endpoint provides secure and direct connectivity to Azure services over an optimised route over the Azure backbone network. Virtual Network Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
When Service Endpoints are enabled, the PaaS resource sees traffic coming from your VNet private IP, not the public IP.
The brilliant part is that you can optimise these Endpoints at subnet level.
What is Azure Private Link Service and Azure Private Endpoint?
Azure Private Link provides you facility to access Azure PaaS Services (like Azure App Service, Storage, SQL Database etc) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Your service that is running behind Azure Standard Load Balancer can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets.
Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint as the name says uses a private IP address from your VNet.
You can create private endpoint for your service directly in your VNet via using the service.
The main benefit of Private link service is that you don’t have to expose your service to the public internet.
Main difference between Service Endpoint — Private Endpoint
The main difference between Azure Private Links and Virtual Network Service Endpoint, is Public IPs. With Private Link, there is never any Public IP created and traffic can never go through the Internet, whereas with Service Endpoints, you have the option to limit access.
Is private Link Service available for all Azure Services ?
No, Not all services support this currently. But list can be found at -
Announcing Azure Private Link GA for Azure Services | Azure updates | Microsoft Azure
Azure Private Link is now generally available (GA) for the below services: Azure Storage Azure Data Lake Storage Gen 2…
POC: Azure App service via Private Link
We can get a private access to the Azure App Service via private link. So you don’t have to expose it via public IP.
Check the following image below. This is what we are going to do. There is an app service we are going to deploy and going to access this service from dev VM situated in rg-test resource group and vn-test VNET.
Deploy a WebApp in a App Service plan.
After this you can access the webapp over the internet via public IP. Now we will restrict this to private endpoint and from the VNET only.
You can see private endpoint settings available. [This is not available to all regions !]
Go to WebApp > Networking configuration > Private Endpoint Connection
Configure Private Endpoint connection. While configuration we provide VNet details from where you want to access and associated subnet !
Once done, you can see the state.
If you try to access the URL from Internet you will see access forbidden ! It happened because this is default functionality when you enable private endpoint access.
Login onto the VM and access it via curl and ping the website. Notice the name resolution of website. Notice the private IP it is using. Azure DNS is coming into picture behind the scenes.
I suggest perform this exercise via free Azure cloud credit to have better understanding.
That’s it for this post.
Thanks and Keep Learning.