Share via

Service Endpoint deployment

HASSAN BIN NASIR DAR 351 Reputation points
2024-12-23T22:03:28.3233333+00:00

have two questions:

  1. If I want to configure a service endpoint between a subnet and a Storage service, does the virtual machine that is part of the subnet need a public IP?
  2. How can I verify whether the connection is established over the internet or the Microsoft backbone network?

Regards

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,311 questions
Accepted answer
  1. Keshavulu Dasari 2,830 Reputation points Microsoft Vendor
    2024-12-25T07:18:13.44+00:00

    Hi HASSAN BIN NASIR DAR,
    When you use a service endpoint for your storage account, the connection is established between your VM's private IP and the public endpoint of the storage service.

    Service Endpoint: Your VM uses its private IP to connect to the Azure Storage service. The traffic is routed over the Microsoft backbone network, ensuring it doesn't traverse the public internet. However, the storage service itself is accessed via its public endpoint (public IP address). This setup enhances security by keeping the traffic within Microsoft's network.

    Private Endpoint: In contrast, a private endpoint assigns a private IP address to the Azure Storage service within your VNet. This means both your VM and the storage service communicate entirely over private IPs within your VNet, never using the public internet or public IPs.

    User's image
    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 11,621 Reputation points MVP
    2024-12-23T22:21:20.6766667+00:00

    Hello HASSAN BIN NASIR DAR

    Answering your questions

    1. No, the virtual machine (VM) that is part of the subnet does not need a public IP to configure a service endpoint between the subnet and a Storage service. Service endpoints uses private IP addresses in the virtual network (VNet) to reach the endpoint of an Azure services
      https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
    2. To verify the connection is established over the internet or the Microsoft backbone network, you can check the effective routes on the network interface of the VM.

    Also consider that traffic to a Storage Account in same region as a VM always traverses over the Microsoft Backbone Network.

    • It does not matter if you have enabled service end point or not.
    • Service EndPoint simply "allows" the traffic at the Storage Account.
    • If you were to not to enable service end point, you will see a 4xx Error when you access the Storage account
    • If service end point is enabled, you will see a 200 HTTP Success.
    • In both the cases, traffic will always be on Microsoft Backbone Network and will use private IP of the VM as source.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules

    https://learn.microsoft.com/en-us/answers/questions/1664558/traffic-through-microsoft-backbone-network

  2. Keshavulu Dasari 2,830 Reputation points Microsoft Vendor
    2024-12-29T13:47:19.1266667+00:00

    Hi HASSAN BIN NASIR DAR,
    Without a service endpoint enabled, the storage account will not accept traffic from your VNet. This means that your VM in the VNet cannot directly access the storage account using its private IP. Instead, you would need to access the storage account over the public internet, which involves using the storage account's public endpoint.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           
    User's image
    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.