Analysis of Azure Private endpoint, Service endpoint, and Private links.

Greetings, everyone. Thank you for reading my blog post and understanding the Azure networking services, including Azure Private Endpoint, Azure Service Endpoint, and Private Link.

This blog post will discuss Azure Service Endpoint, Azure Private Endpoint, and Private Link networking services in the Azure cloud. These services are designed to help you restrict how you connect or restrict your service hosted in Azure. Sometimes, it may need to be clarified which service to use and its benefits. This article will delve into these services and provide clarity to help you make informed choices.

Service Endpoint

Virtual Network (VNet) service endpoints are the first feature for connecting your PaaS services from Azure Virtual Network. This service provides secure and direct connectivity to Azure services through the backbone network. Endpoints provide a way to secure your essential Azure service resources from your virtual networks.

How does the Service Endpoint work?

Service Endpoints allow a subnet on your virtual network to support Service Endpoints. After enabling this feature, you can configure your PaaS resource only to accept traffic from those subnets. There is no need to perform IP filtering or NAT translation; you specify the VNET and subnet from which the PaaS resource should allow traffic.

Before, Azure service traffic from a virtual network used public IP addresses as source IP addresses, which was challenging to manage. However, with service endpoints, the traffic now seamlessly switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This change simplifies network management and eliminates the need for reserved, public IP addresses in IP firewalls.

Benefits of Service endpoints:

1. Traffic is optimally routed to Azure resources. Even if you have User-Defined Routes (UDRs) on your VNET to route internet traffic back on-premises or through a firewall device, a Service Endpoint ensures traffic is sent directly to the Azure Resource.
2. Service endpoints allow you to secure Azure service resources in your virtual network by extending the VNet identity to the service. After enabling service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. This rule enhances security by removing public internet access to resources and only allowing traffic from your virtual network.
3. Using service endpoints is free. The current pricing model for Azure services (e.g., Azure Storage, Azure SQL Database) still applies.

Limitations:

1. Service Endpoints are enabled on subnets configured in Azure virtual networks.
2. The traffic from the Service Endpoint is still leaving your virtual network, and the Azure PaaS resource is still being accessed on its public address.
3. Endpoints can’t be used for traffic from your on-premises to Azure services. If you want access to your on-premises resources, you must also allow their public IPs.

When to use Service Endpoints:

• Microsoft recommends using Azure Private Link and private endpoints to secure and privately access services hosted on the Azure platform.
• The service can be considered when no DNS requirements or changes are needed.

Private Endpoint and Private link

Azure private endpoint is a network interface that utilizes a private IP address from your virtual network. This network interface provides a secure and private connection to a service enabled by Azure Private Link. You can securely bring the service into your virtual network by enabling a private endpoint.

Azure Private Link: A service provider establishes Azure Private Link service. Currently, a Private Link service can be connected to the frontend IP configuration of a Standard Load Balancer.

How does the Private Endpoint and Private link work?

A private endpoint uses a private IP address from the selected VNet, making it accessible within that VNet and any peered VNet. When configured, Azure will create a Canonical name (CNAME) DNS record for the public DNS in a private DNS zone to redirect it to the private domain name (private endpoint). When an application attempts to resolve a service with a name, it will be resolved to private endpoints instead of the public DNS namespace. Please note: outside of the DNS zone, the service’s fully qualified domain name (FQDN) will still resolve to the service’s public endpoint.

The diagram below depicts the SQL PaaS service that is brought into the Azure Virtual network via a Private endpoint.

The Azure Private Link service is designed to be user-friendly, allowing you to easily create your service using Azure Private Link. This means your service, hosted behind the Azure Standard Load Balancer, can be configured for Private Link access. This straightforward process enables consumers to access your service from their VNets privately. Customers can create a private endpoint within their virtual network and connect it to your service, all with just a few simple steps.

Benefits of Private endpoints and Private link :

1. Barrier removal for organizations with compliance or governance requirements.
2. Private and secured traffic flow within the organization.
3. Meeting security requirements for available PaaS Services without public internet access.
4. Making internal PaaS or IaaS services available via Private Endpoint.
5. Allowing access to business units or external customers without internet traffic.
6. Ensuring secure and controlled access to resources.
7. The private endpoint is a way to secure traffic from on-premise to Azure when you only have private peering, so the requirement for Microsoft peering becomes further diminished.

Limitations of Private Endpoints and Private link:

1. The limitation or drawback lies in the need for DNS resolution.
2. The complex architecture includes Azure Private DNS and Hybrid DNS when integrating existing DNS services (on-premise) to the private endpoint.
3. The private endpoint is charged for the private endpoint service, and inbound and outbound data are processed.

When to use Private Endpoints:

1. Private endpoint is recommended service for access restriction of PaaS service.
2. Other than complexity, Private Link will be a better choice over Service Endpoint.
3. For Hybrid connectivity, this option does not require Microsoft peering and only private peering on express routes for secure connection within Azure VNet.
4. This method provides more excellent security options, and we can now connect to Azure PaaS resources from the on-premise network via private peering.

What is the difference between Service endpoint and Private link (endpoint)

Private Link and Service Endpoints have a critical difference. Private Link, a powerful tool, allows you to bring a multi-tenant PaaS resource into your virtual network, effectively integrating it within your VNET. In contrast, with Service Endpoints, the traffic still exits your VNET and connects to the public endpoint of the PaaS resource. Through Private Link, the PaaS resource resides within your VNET and acquires a private IP address within it, giving you full control and security. This means that when you send traffic to the PaaS resource, it remains within the virtual network and doesn’t exit it.

Let me explain with different scanario based example:

Scenario 1: You can use private endpoints if you need to make your Azure PaaS Instance available to different Azure tenants. You must share your PaaS instance’s resource ID; the other party can then deploy a private endpoint. Alternatively, you can create a virtual network for them, add private endpoints, and then share it via peering or VPN. The Traffic is sent privately using Microsoft backbone. It doesn’t traverse the internet. Azure Private Link doesn’t store customer data.

Scenario 2: When a SaaS solution from a third-party vendor is hosted in the Azure cloud, it can be accessed via the customer’s ExpressRoute with Microsoft peering without using the public internet. Microsoft Peering will make all Azure Public IPs available to the customer. If the SaaS provider hosts their SaaS Solution on Azure and uses Azure Public IPs, the customer can reach it via ExpressRoute Microsoft Peering.

And thats the end of the post. I hope you had a great time with learning.