Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Azure Service Endpoint

Overview

Azure Service Endpoint is a feature that provides direct connectivity from a virtual network to Azure services. It extends the identity of your virtual network to the Azure services over a direct connection. The traffic to the Azure service always remains on the Microsoft Azure backbone network. Service Endpoints are not supported across different AD tenants for most services, except for Azure Storage and Azure Key Vault.

Service Endpoint Policy

Service Endpoint Policies allow us to control the Azure Service that will be reachable via a Service Endpoint. They provide an additional layer of security to ensure that a service endpoint cannot be used to access all instances of a resource type. For example, if we have a Microsoft.Storage service endpoint on a subnet, we can create a Service Endpoint Policy to allow access to only a specific storage account. Without the policy, the service endpoint can be used to access all storage accounts in the region.

  • Currently, only the Microsoft.Storage provider is compatible with Service Endpoint Policies.
  • We can scope access to one of three options:
    • All storage accounts in the subscription
    • All storage accounts in a specific resource group
    • A specific storage account

Example Usage

  1. Create a Service Endpoint Policy
  2. Associate the Service Endpoint Policy with a subnet

Service Endpoint Policy