Service endpoint policies when to use?

Question

Hi,

I see that I can enable the option (service endpoint policies) when creating a virtual network in azure.

I read that it aims to protect access to azure services, but I didn't understand in practice whether or not I need to use this option.

Can someone help me by explaining some practical scenario that this option would apply?

I will need to enable network protection between the subnet to allow specific port access between the subnet, but I understand that to have this block I must use the NSGs.

Thank you.

Answer 1

@Salves Virtual Network (VNet) service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over service endpoint.

Advantage: Virtual network service endpoint policies provide following benefits:

• Improved security for your Virtual Network traffic to Azure Storage

**: Azure service tags for network security groups allow you to restrict virtual network outbound traffic to specific Azure Storage regions. However, this allows traffic to any account within selected Azure Storage region.

Endpoint policies allow you to specify the Azure Storage accounts that are allowed virtual network outbound access and restricts access to all the other storage accounts. This gives much more granular security control for protecting data exfiltration from your virtual network.

• Scalable, highly available policies to filter Azure service traffic

Endpoint policies provide horizontally scalable, highly available solution to filter Azure service traffic from virtual networks, over service endpoints. No additional overhead is required to maintain central network appliances for this traffic in your virtual networks.

Scenarios

• Peered, connected or multiple virtual networks: To filter traffic in peered virtual networks, endpoint policies should be applied individually to these virtual networks.
• Filtering Internet traffic with Network Appliances or Azure Firewall: Filter Azure service traffic with policies, over service endpoints, and filter rest of the Internet or Azure traffic via appliances or Azure Firewall.
• Filtering traffic on Azure services deployed into Virtual Networks: At this time, Azure Service Endpoint Policies are not supported for any managed Azure services that are deployed into your virtual network.
• Filtering traffic to Azure services from on-premises: Service endpoint policies only apply to the traffic from subnets associated to the policies. To allow access to specific Azure service resources from on-premises, traffic should be filtered using network virtual appliances or firewalls.

A virtual network service endpoint provides the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network.

Today**, Azure service traffic from a virtual network uses public IP addresses as source IP addresses**. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

This feature is available for the following Azure services and regions. The Microsoft.* resource is in parenthesis. Enable this resource from the subnet side while configuring service endpoints for your service: see here

Hope this helps! Kindly let us know if the above helps or you need further assistance on this issue.

---------------------------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Greetings,

Azure service endpoints provide the ability for Azure administrators to expose certain Azure services directly inside a VNet. This improves security by extending your VNet identity to the service and removes public Internet access to the resources. It also improves optimizes the network routing by allowing resources within the VNet to directly access the service via the Azure backbone.

Scenario: It reduces the numbers of network hops while accessing the target resource. For example, if a VNET takes nine hops to reach/access the storage account then on enabling service endpoint policy it would take just two hops.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 3

@Salves , If you enable Service Endpoints for storage in your subnet, by default you will be able to reach all Storage account in that region. This is a security threat and in order for you to have control over which specific destination, VMs in your subnet can reach, you can use Service Endpoint Policies.

Service endpoint policy will not reduce hops or improve performance by any case. It is a security feature for Service Endpoints.

Alternatively, if you want to connect to PAAS resource over Private network, you can go for Private Endpoint which is easy to configure and use.

Regards,
Msirni