Microsoft AZ-700: Explain Virtual Network Service Endpoints

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services: Unit 2: Explain Virtual Network Service Endpoints

Think your org migrates existing ERP app with DB server to Azure VMs. Now, you consider Azure platform as a service in Azure for cost/admin requirements. Storage services hold large file assets. These engineering diagrams have proprietary info and must remain secure from unauthorized access. Must be only accessible from specific systems

  • What is a virtual network service endpoint
    • VNet service endpoint provides secure and direct connectivity to Azure services. Service endpoints allow you to secure critical Azure service resources to only your VNets. Service Endpoints enables private IP addrs in the VNet to reach the endpoint of an Azure service without needing a public IP
    • By default, Azure services are designed for DIA. All Azure resources have public Ips including PaaS services such as Azure SQL and Storage. Since explosed to INET potential for anyone to access Azure services
    • Service endpoints can connect certain PaaS services directly to private address space in Azure
    • Service endpoints use private space to access PaaS services directly
    • Adding service endpoints doesn’t remove public endpoint but provides a redirect of traffic
  • Preparing to Implement Service Endpoints
    • Two required steps
      • Turn off public access to service
      • Add Service Endpoint to VNet
    • When enabling Service Endpoint traffic flow is restricted and Azure VMs are enabled directly from private addr space
    • Devices cannot access service from public network
    • VM vNIC Service Endpoint becomes Next Hop Type
    • Example route table before enabling Service Endpoint (Table below from MS Learn)
    • Example route table after adding 2 Service Endpoints to VNet (Table below from MS Learn)
    • All traffic for service now routed to VNet Service Endpoint and remains inside Azure
  • Create Service Endpoints
    • Planning to move sensitive diagram into Azure Storage. File must only be accessible from computers inside corp network. You want to create a VNet Service Endpoint for Azure Storage to secure connectivity to storage accounts
    • Steps
      • Enable service endpoint on a subnet
      • Use network rules to restrict access to Azure Storage
      • Create a virtual network service endpoint for Azure Storage
      • Verify access is denied appropriately
  • Configure service tags
    • Service tag represents group of IP prefixes from a given Azure service. MS manages prefixes encompassed by service tag automatically updating addrees minimizing complexity of frequent updates to network security rules
    • You can use service tags to define network access controls on network security groups or FW
    • Use service tags in place of specific IP’s when creating security rules
    • Specifying service tag name (e.g. API Management) in appropriate SRC/DST of rule allows or denies traffic for service
    • As of March 2021 Service Tags can be used in place of IP ranges in user defined routes. Currently in Public Preview
    • Use service tags to achieve network isolation and protect Azure resources from general Internet while accessing Azure services that have public endpoints
    • Create In/Out network security group rules for deny to/from INET and allow to/from AzureCloud or other specific Azure services
  • Available service tags
    • Follow this MS Table for all service tags available for use in NSG rules. Columns define whether tag
      • Is suitable for rules that cover in/outbound traffic
      • Supports regional scope
      • Is usable in FW rules
    • By default, service tags are for entire cloud
    • Some tags also allow more granular control via restricting IP ranges to specific region
    • Service tags of Azure services denote prefixes from specific cloud being used
    • If implementing VNet service endpoint Azure adds route to VNet subnet. Prefixes in route are same as prefixes for corresponding service tag
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-explain-virtual-network-service-endpoints/

Leave a Reply

Your email address will not be published.