Routing on Service Endpoints and Private Endpoints

Chetan Goenka 30 Reputation points
2023-10-30T10:21:16.2+00:00

What are the routing differences with an AKS cluster with outbound as Public ALB to Cosmos DB and Storage Account with the following scenarios?

  1. No Service Endpoint or Private Endpoint to Cosmos DB/Storage Account
  2. Service Endpoint enabled on the AKS VNET for Cosmos DB/Storage Account
  3. Private Endpoint enabled on the resources (Cosmos DB/Storage Account)

Will there be any way traffic will leave Azure Network in the above scenarios? I am more interested in any routing differences that can help in reducing latency to access resources.

Another one would be to consider any partner like Confluent Cloud hosted in Azure, for Kafka Cluster, when connected from AKS to the Confluent Kafka with a public URL will traffic remain in the Backbone network? In short I need to know if source and destination are within Microsoft with no Private Endpoint enabled all traffic will be within Microsoft Backbone network?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,551 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
523 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,551 Reputation points Microsoft Employee
    2023-10-31T02:01:00.38+00:00

    @Chetan Goenka

    Thank you for reaching out.

    I understand the routing scenarios for the different set-ups with service endpoint and private endpoint for your AKS cluster with outbound as Public ALB to Cosmos DB and Storage Account.

    Based on your question above.

    No Service Endpoint or Private Endpoint to Cosmos DB/Storage Account

    In this scenario the communication will happen using public endpoints of these services.

    Now you can set routing preference for Azure Storage services as documented here.

    Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing respectively.

    For storage services like Blobs, files web and Azure Data Lake you can set-up routing preference as Routing via Microsoft global network which will route the traffic via Microsoft global network. (Azure Kubernetes Service (AKS) and Internet-facing load balancer services have this option as well)

    Cosmos DB does not provide such routing preference but as these services will be communicating with each other. Even when using a public IP with routing preference Internet, all traffic that is bound for a destination within Azure continues to use the direct path within the Microsoft Wide Area Network.

    So, the traffic between these services will not leave Microsoft Wide Area Network.

    Service Endpoint enabled on the AKS VNET for Cosmos DB/Storage Account

    Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. In this case as well the traffic will not leave Microsoft Wide Area Network.

    Private Endpoint enabled on the resources (Cosmos DB/Storage Account)

    If you are planning to use virtual network integration for your services above, then Microsoft recommends use of Azure Private Link and private endpoints for secure and private access to services hosted on the Azure platform over Azure Service endpoints. Here is the difference between the two options.

    Traffic between your virtual network and the service travels the Microsoft backbone network and there is no need to expose the services to a public endpoint which improves security.

    Will there be any way traffic will leave Azure Network in the above scenarios? I am more interested in any routing differences that can help in reducing latency to access resources.

    The traffic will not leave Microsoft global network in any of the above scenarios, as these services will be communicating with each other. Regarding latency, it will depend upon the regions the services will be deployed in, and you can refer to this latency document to calculate latency between Azure regions. I also think that there will not be any difference in latency in the options above as these features are primarily designed to improve security and compliance.

    Another one would be to consider any partner like Confluent Cloud hosted in Azure, for Kafka Cluster, when connected from AKS to the Confluent Kafka with a public URL will traffic remain in the Backbone network? In short I need to know if source and destination are within Microsoft with no Private Endpoint enabled all traffic will be within Microsoft Backbone network?

    Yes, all traffic that is bound for a destination within Azure continues to use the direct path within the Microsoft Wide Area Network.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.