What is the real point? Comparing Microsoft Azure Personal and Service Endpoints

Information is type in today’s business planet. Not having it just, but making certain it does not finish up in the incorrect hands. That is true regardless if you’re in an exclusive leveraging or cloud a public cloud like Microsoft Azure.

Maintaining your network traffic protected and avoiding routing on the internet is paramount to maintaining data safety. Luckily, Microsoft Azure offers two “endpoint” solutions to ensure information takes an optimized path:

 <ul>          <li>          <strong>     Services endpoint     </strong>     :
 <ul>          <li>     This gives direct and secure online connectivity to Azure services on the Azure backbone     </li>     
 </ul>          </li>     

A listing of Azure solutions supported with something endpoint are available here .

 <ul>          <li>          <strong>     Personal endpoint     </strong>     :
 <ul>          <li>     Enables you to leverage an exclusive IP from your own virtual network for connecting privately and safely to an Azure program     </li>     
 </ul>          </li>     

A listing of Azure providers supported with an exclusive endpoint are available here .

Before we enter the specifics of every endpoint, it is very important know very well what occurs if you can find simply no endpoints (service or private) configured.

 <em>     Notice:     </em>      for the examples found in this blog, we will be connecting to a Microsoft Azure storage account.

Whenever a storage account is established, a public endpoint can be used for communication. Which means that when a workload/customer/application must talk to the storage account, the general public endpoint will resolve to a public Ip and the traffic will be routed on the internet.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-no-endpoints-configured.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="631" height="352" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-no-endpoints-configured.png" alt class="wp-image-155619 lazyload" loading="lazy" />          <img width="631" height="352" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-no-endpoints-configured.png" alt class="wp-image-155619" data-eio="l" />          </a>          </figure>          </div>     

Even though traffic is encrypted, it shall traverse the web.

The first way we are able to avoid sending traffic on the internet is with a ongoing service endpoint. But just how do service endpoints function?

Contrary to popular belief, the storage accounts endpoint still creates plus resolves to the general public IP… but yet another step takes place. When any Azure VM within the vNet tries to connect to the general public endpoint of a storage space account, the “following hop” will be redirected to the Azure network backbone.

The figure below highlights the properties of a vNIC and the “Effective routes”. We are able to see there are extra routes automatically created/added once the provider endpoint is configured:

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-effective-routes.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="480" height="441" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-effective-routes.png" alt class="wp-image-155633 lazyload" loading="lazy" />          <img width="480" height="441" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-effective-routes.png" alt class="wp-image-155633" data-eio="l" />          </a>          </figure>          </div>     

And the routes are added once, any traffic that’s targeting the general public endpoint of the storage space account will undoubtedly be directed on the Azure network backbone.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-service-endpoints.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="610" height="342" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-service-endpoints.png" alt class="wp-image-155647 lazyload" loading="lazy" />          <img width="610" height="342" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-service-endpoints.png" alt class="wp-image-155647" data-eio="l" />          </a>          </figure>          </div>     

The second way we are able to avoid sending traffic on the internet that’s destined for an Azure service is with a private endpoint. The advantage of an exclusive endpoint is that traffic will stay in the vNet and it’ll never traverse the web and/or the Azure system backbone.

The initial step is that the storage account will leverage an exclusive Ip from within the vNet – in the example: This can permit the workloads to talk to the Azure service via the private IP directly.

Next, a community and personal DNS entry/IP address will undoubtedly be automatically created also.

 <ul>          <li>     Public Endpoint DNS title: .blob.core.windows.internet     </li>     
 <li>     Open public Endpoint DNS title: .privatelink.blob.core.home windows.net     </li>     

Azure shall also develop a CNAME DNS report resolving the public deal with to the personal IP. In this case, the general public endpoint shall resolve to Which means that all traffic shall stay within the Azure vNet rather than traverse the Azure network backbone.

And because we’ve a routed network right now, resources from on-premises may talk to Azure services WITHOUT exceeding the general public internet – assuming there’s an ExpressRoute or VPN link.

 <em>     Take note:     </em>      Remember that DNS / HOSTS document should be updated to solve appropriately for on-premises connectivity

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-private-endpoints.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="624" height="349" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-private-endpoints.png" alt class="wp-image-155661 lazyload" loading="lazy" />          <img width="624" height="349" src="https://www.infracom.com.sg/wp-content/uploads/2022/12/azure-endpoints-private-endpoints.png" alt class="wp-image-155661" data-eio="l" />          </a>          </figure>          </div>     

Let’s now directly evaluate the service and personal endpoints:

For information on use situations for service and personal endpoint, please connect to your neighborhood Veeam account team.

A service or personal endpoint is a good method to keep your computer data secure and maximize efficiency, even while minimizing costs – the fantastic mixture when leveraging Veeam to protect your computer data .