1. Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services.
- The Key point is your vnet address space to Azure Services.
- vNET private address –-> Azure Service
It’s NOT bring Azure services to your VNET, Azure services is NOT in your vNET, usually, it’s still a multiple tenants service there.
2. Endpoints allow you to secure your critical Azure service resources to only your virtual networks
There are actually TWO steps to make it work.
- Turn on service endpoints for the Azure service.
- Set up VNet ACLs on the Azure service.
As you can see, enable Service Endpoints is only one step of it. Only turning on service endpoints for the Azure service on the network side does not provide you the limited access.
3. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.
If you don’t have Service Endpoint enabled, will traffic still go through Azure backbone network?
- a. In the same region, from vnet to Azure services, the traffic is always within Azure. (Although you are using public endpoint (IP address), the traffic still in Azure)
- b. Azure traffic between our datacenters stays on our network and does not flow over the Internet. (https://aka.ms/microsofts-network)
so Azure controls the network flow. But if you have Service Endpoints enabled and the Azure Service that you are using supports service endpoints, it’s always in Azure.
4. Endpoints are enabled on subnets configured in Azure virtual networks. Endpoints cannot be used for traffic from your premises to Azure services
5. Not all Services supports service endpoints globally.
For Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network’s region. For Azure Storage, to support RA-GRS and GRS traffic, endpoints also extend to include paired regions where the virtual network is deployed. For ADLS Gen 1, the VNet Integration capability is only available for virtual networks within the same region.
6. Enable Service Endpoint might causes temporary interruption to service traffic from this subnet while configuring service endpoints.
After enabling a service endpoint, the source IP addresses of virtual machines in the subnet switch from using public IPv4 addresses to using their private IPv4 address, when communicating with the service from that subnet. Any existing open TCP connections to the service are closed during this switch. Ensure that no critical tasks are running when enabling or disabling a service endpoint to a service for a subnet. Also, ensure that your applications can automatically connect to Azure services after the IP address switch.
The IP address switch only impacts service traffic from your virtual network. There is no impact to any other traffic addressed to or from the public IPv4 addresses assigned to your virtual machines. For Azure services, if you have existing firewall rules using Azure public IP addresses, these rules stop working with the switch to virtual network private addresses.
7. NSG allow to Internet Traffic or Service Tag still needed.
Please read the item 1, the Service Endpoint doesn’t bring Azure services to your vnet, so you still need to allow traffics to Internet or service tag. Enable Service Endpoint doesn’t mean that you can block all Internet Traffics while accessing Azure service with public endpoint.
8. Service Endpoint protects Azure Services NOT your VNET resources
See item 2. it’s a protection for Azure Services. Your VNET resources are still protected by NSGs.
9. Enable Service Endpoints in different subscription is supported but it should be in the same AAD tenant.
10. What happens when you access an Azure service account that has virtual network access control list (ACL) enabled from outside the VNet?
The HTTP 403 or HTTP 404 error is returned.
11. Service endpoint routes override any BGP or UDR routes for the address prefix match of an Azure service
Once you’ve enabled Service Endpoint, you will find that VM in the subnet/vnet has the following effective routes.
For more information: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#virtual-network-service-endpoints
Heran on Azure 