![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 86%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPE%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,796 questions
Hello @Piotr E ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a data lake that you want to secure and use a private endpoint connection between this data lake and a service which is cross region. You want to disable public internet access but should be able to connect to the service from on-prem device via VPN and would like to know if creating a single private endpoint is better or creating multiple endpoints is a better approach in such a setup.
I will start with some basics about Azure private endpoints:
You can have multiple Private Endpoints in same VNet or subnet. They can connect to different services. Private Endpoints can also connect to Azure PaaS resources across Azure regions.
Private Endpoints are highly available resources with an SLA as per SLA for Azure Private Link. However, since they're regional resources, any Azure region outage can affect the availability. To achieve availability if there are regional failures, multiple PEs connected to same destination resource could be deployed in different regions. This way if one region goes down, you can still route the traffic for your recovery scenarios through PE in different region to access the destination resource.
For a single network using a common DNS server configuration, the recommended practice is to use a single private endpoint for a specified private-link resource. Use this practice to avoid duplicate entries or conflicts in DNS resolution.
Refer: https://learn.microsoft.com/en-us/azure/private-link/private-link-faq#private-endpoint
If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones. A single private DNS zone is required for this configuration. Creating multiple zones with the same name for different virtual networks would need manual operations to merge the DNS records.
You can link a private DNS zone with thousands of virtual networks. A virtual network that belongs to a different subscription can also be linked to a private zone.
Reference: https://learn.microsoft.com/en-us/azure/dns/dns-faq-private
https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#link-the-virtual-network
Now coming back to your question of which approach is better.
Depending upon your setup & requirement, you could go with either one of the approaches.
If you want to achieve high availability in case of regional failures, multiple private endpoints connected to same destination resource could be deployed in different regions.
If you want to have a hub and spoke topology, then using a single private endpoint and linking the same private DNS zones to all spokes and hub virtual networks makes more sense.
However, as you have mentioned that you must have the opportunity to connect from on prem device via VPN, my advice would be to go with approach 2 of creating only one private endpoint.
A single private DNS zone is required for this configuration. All client connections made from on-premises and peered virtual networks must also use the same private DNS zone.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.