Service Endpoint deployment

HASSAN BIN NASIR DAR 311 Reputation points
2024-12-23T22:03:28.3233333+00:00

have two questions:

  1. If I want to configure a service endpoint between a subnet and a Storage service, does the virtual machine that is part of the subnet need a public IP?
  2. How can I verify whether the connection is established over the internet or the Microsoft backbone network?

Regards

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,292 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andriy Bilous 11,541 Reputation points MVP
    2024-12-23T22:21:20.6766667+00:00

    Hello HASSAN BIN NASIR DAR

    Answering your questions

    1. No, the virtual machine (VM) that is part of the subnet does not need a public IP to configure a service endpoint between the subnet and a Storage service. Service endpoints uses private IP addresses in the virtual network (VNet) to reach the endpoint of an Azure services
      https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
    2. To verify the connection is established over the internet or the Microsoft backbone network, you can check the effective routes on the network interface of the VM.

    Also consider that traffic to a Storage Account in same region as a VM always traverses over the Microsoft Backbone Network.

    • It does not matter if you have enabled service end point or not.
    • Service EndPoint simply "allows" the traffic at the Storage Account.
    • If you were to not to enable service end point, you will see a 4xx Error when you access the Storage account
    • If service end point is enabled, you will see a 200 HTTP Success.
    • In both the cases, traffic will always be on Microsoft Backbone Network and will use private IP of the VM as source.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules

    https://learn.microsoft.com/en-us/answers/questions/1664558/traffic-through-microsoft-backbone-network


  2. Keshavulu Dasari 2,420 Reputation points Microsoft Vendor
    2024-12-24T03:50:55.08+00:00

    Hi HASSAN BIN NASIR DAR,
    When you configure a service endpoint, the VM in the subnet can access the Azure Storage service using its private IP address. The traffic is routed through the Microsoft backbone network, not the internet. The VM does not need a public IP to access the storage URL because the service endpoint ensures that the traffic stays within Azure's network

    Service Endpoint vs. Private Endpoint:

    • Service Endpoint: When you enable a service endpoint, the traffic from your virtual network to the Azure service (like Storage) is routed through the Microsoft backbone network. The service endpoint allows the Azure service to identify traffic coming from your virtual network's private IP addresses, even though the service itself is accessed via its public endpoint.
    • Private Endpoint: This creates a private IP address within your virtual network for the Azure service. All traffic between your virtual network and the service stays entirely within the Azure network, using private IP addresses. This means the service is accessed directly via its private IP, providing an additional layer of security.

    with a service endpoint, the traffic is routed through the Microsoft backbone network but still uses the public endpoint of the service. With a private endpoint, the service is accessed via a private IP within your virtual network, ensuring all traffic remains private.
    For more information
    https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/service-endpoints-vs-private-endpoints/3962134


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.