Share via

Single Subnet vs Separate Subnets for Private Endpoints

Taranjeet Malik 546 Reputation points
2024-10-14T23:32:36.1966667+00:00

Hi

We're building various services in Azure (Logic App, Function App, Storage Account, Event Grid, Event Bus, Service Bus, and APIM). These services will be enabled with a Private Endpoint (PE) and all the public endpoint connectivity will be disabled. Understand that we can create private endpoints for various services in a single Azure subnet. However, unsure if placing the PEs for all services should be placed in a single subnet or separate them out, say as per the N-tier architecture? Could not find any guidance on what's a good and secure practice around this.

Placing them all in a single subnet is much cleaner, but on the flip side, if there are separate NSG and Service Endpoint requirements, we end up enabling all on the same subnet. Is this really a valid reason to go with multiple subnet structure?

Looking forward to hearing the expert thoughts.

Thanks

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
519 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
    2024-10-15T10:12:46.38+00:00

    @Taranjeet Malik ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    To answer your question in short,

    • This completely depends on your architecture.

    Summary,

    • Per your verbatim, you said you will be using multiple PaaS Services
    • But you did not mention what the users (sources) would be
    • If they are going to access all of these services from a VM (or P2S or S2S) which are all part of the same private network - then it would make sense to put them in a single subnet
    • However, if certain sources access only certain set of PaaS services and a different set of sources access a different set of PaaS Services - then it is better to group them based on this.
      • This would give you the ability to use UDRs or NSGs on these PE subnets in the future, if required.

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.