Thank you for reaching out.
I understand the routing scenarios for the different set-ups with service endpoint and private endpoint for your AKS cluster with outbound as Public ALB to Cosmos DB and Storage Account.
Based on your question above.
No Service Endpoint or Private Endpoint to Cosmos DB/Storage Account
In this scenario the communication will happen using public endpoints of these services.
Now you can set routing preference for Azure Storage services as documented here.
Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing respectively.
For storage services like Blobs, files web and Azure Data Lake you can set-up routing preference as Routing via Microsoft global network which will route the traffic via Microsoft global network. (Azure Kubernetes Service (AKS) and Internet-facing load balancer services have this option as well)
Cosmos DB does not provide such routing preference but as these services will be communicating with each other. Even when using a public IP with routing preference Internet, all traffic that is bound for a destination within Azure continues to use the direct path within the Microsoft Wide Area Network.
So, the traffic between these services will not leave Microsoft Wide Area Network.
Service Endpoint enabled on the AKS VNET for Cosmos DB/Storage Account
Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. In this case as well the traffic will not leave Microsoft Wide Area Network.
Private Endpoint enabled on the resources (Cosmos DB/Storage Account)
If you are planning to use virtual network integration for your services above, then Microsoft recommends use of Azure Private Link and private endpoints for secure and private access to services hosted on the Azure platform over Azure Service endpoints. Here is the difference between the two options.
Traffic between your virtual network and the service travels the Microsoft backbone network and there is no need to expose the services to a public endpoint which improves security.
Will there be any way traffic will leave Azure Network in the above scenarios? I am more interested in any routing differences that can help in reducing latency to access resources.
The traffic will not leave Microsoft global network in any of the above scenarios, as these services will be communicating with each other. Regarding latency, it will depend upon the regions the services will be deployed in, and you can refer to this latency document to calculate latency between Azure regions. I also think that there will not be any difference in latency in the options above as these features are primarily designed to improve security and compliance.
Another one would be to consider any partner like Confluent Cloud hosted in Azure, for Kafka Cluster, when connected from AKS to the Confluent Kafka with a public URL will traffic remain in the Backbone network? In short I need to know if source and destination are within Microsoft with no Private Endpoint enabled all traffic will be within Microsoft Backbone network?
Yes, all traffic that is bound for a destination within Azure continues to use the direct path within the Microsoft Wide Area Network.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.