Private endpoint subnet sizing

Mohammed Thahif BK 291 Reputation points


we are building an iPaaS environment consisting of API-M, service bus, logic apps ,function apps and storage account. As a best practice, planning to enable private endpoint for all of the services. As part of subnet sizing, need some clarity.

Some document mentions about for secure outbound connectivity one requires vnet integration, which requires separate subnet, is this true?
If function app needs to talk to logic app which is enabled with private endpoint, does it require separate subnet for outbound vnet integration? or can it talk to logic app with its private IP?

Also, if a PasS service enabled with autoscaling , and has a pvt IP configured. Do we need to consider sizing of pvt endpoint subnet as well? kindly help with these basic questions.
thank you.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
1,183 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
1,836 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,100 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
274 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Bas Pruijn 661 Reputation points

    for PaaS services you need to distinguish between traffic from the network to the PaaS service (inbound for the PaaS service) and traffic from the PaaS service to the network (outbound for the PaaS service).

    For inbound traffic, the PaaS service needs a private endpoint, which takes up 1 IP Address in the subnet
    For outbound traffic, the PaaS service needs a complete subnet which it can use to talk to the rest of the network. Sizing of this subnet is usually not documented. I have never run into issues with a /24 subnet, but that might be a huge overkill. Please keep in mind that not all PaaS services allow outbound traffic to the network though. Fortunately, functions and logic apps (running on app service plans) can use this functionality, if you are not using the free version:

    No comments