Confusion on service endpoint and private endpoint.

Sun Chen 65 Reputation points
2024-03-31T09:40:42.6666667+00:00

After reading the introduction of service endpoint and private endpoint, I'm still confused why we need the endpoints. So by default the PaaS services don’t have any IP address and can only be accessed via Azure portal? What’s the difference between the IP obtained via endpoints and the IP without endpoints? Let’s say in a Storage Account scenario.

I also saw someone mentioned the private endpoint is like a special NIC. If so why don’t we call the endpoints NIC or something NIC? Is it essentially an NIC or not? Thanks!

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,136 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 47,011 Reputation points Microsoft Employee
    2024-04-01T13:53:58.0166667+00:00

    Hello @Sun Chen ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know more about the difference between service endpoint and private endpoint.

    If you check the difference between Service Endpoint and Private endpoint, you can find the below:

    What is the difference between Service Endpoints and Private Endpoints? Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic is sent privately using Microsoft backbone. It doesn’t traverse the internet. A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-link-faq#what-is-the-difference-between-service-endpoints-and-private-endpoints-

    After enabling a service endpoint, the source IP addresses switch from using public IPv4 addresses to using their private IPv4 address when communicating with the service from that subnet.

    With service endpoints, DNS entries for Azure services remain as-is today and continue to resolve to public IP addresses assigned to the Azure service.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#considerations

    So, let's break it down to understand it better.

    Service endpoints allow you to secure your Azure resources to only your virtual networks but that doesn't explicitly mean private traffic only.

    When using service endpoint, the source IP address from where you connect to a service is taken into consideration.

    The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#optional-default-routes

    Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. When the next hop type for the route with the 0.0.0.0/0 address prefix is Internet, traffic from the subnet destined to the public IP addresses of Azure services never leaves Azure's backbone network, regardless of the Azure region the virtual network or Azure service resource exist in.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default-route

    If you check ID10 of the route table example in the below doc, you can find:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#route-tables

    Azure automatically added this route to the subnet when a service endpoint to an Azure service was enabled for the subnet. Azure routes traffic from the subnet to a public IP address of the service, over the Azure infrastructure network.

    So, when we say, "Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network", it means secure and direct connectivity to the Public IPs of Azure services from Virtual networks over the Azure backbone network. It is still public traffic, but it doesn't go via public Internet (ISP network) but rather traverses through the Azure backbone network, which delivers your traffic over 165 edge Point of Presence (POP).

    To understand more about routing via Azure backbone network vs routing via public Internet (ISP network), you can refer the below doc:

    https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview

    As shown in the screenshot of this document,

    User's image

    When a resource in Subnet B tries to reach any SQL Server, it uses a public IP address for outbound communication. The blue arrow represents this traffic. The SQL Server firewall must use that public IP address to allow or block the network traffic.

    When a resource in Subnet A tries to reach a database server, it's seen as a private IP address from within the virtual network. The green arrows represent this traffic. The SQL Server firewall can now specifically allow or block Subnet A. Knowledge of the public IP address of the source service is unneeded.

    Subnet A uses a service endpoint and hence an outbound public IP is NOT needed to reach the SQL server. It uses a private IP address in the Vnet to reach the SQL server, but it still connects to the Public IP of the SQL server.

    But when you use private endpoint, it creates a special network interface for an Azure service (such as SQL, Key Vault etc.) in your virtual network. The private endpoint is assigned an IP address from the IP address range of your virtual network. The connection between the private endpoint and the Azure service is a private link.

    As shown in the screenshot of this document,

    User's image

    The green arrow represents private link. A public IP address can still exist for the target resource alongside the private endpoint. The public IP is no longer used by the client application. The firewall can now disallow any access for that public IP address, making it accessible only over private endpoints.

    The client application typically uses a DNS host name to reach the target service. No changes are needed to the application. DNS resolution in the virtual network must be configured to resolve that same host name to the target resource's private IP address instead of the original public IP address. With a private path between the client and the target service, the client doesn't rely on the public IP address. The target service can turn off public access.

    So, in this case, any client from your subnet/Vnet can reach the SQL server as long as it can resolve the hostname to the private IP address of the private endpoint. There is no Public IP involved at all.

    To conclude:

    Service Endpoint is mainly a connection from a private IP address to a public IP address and traffic remains Public but goes over Azure backbone network.

    By enabling a service endpoint, it provides the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-services-to-virtual-networks

    Client (subnet with service endpoint) ---> uses private IP address ------> to access the Public IP of the SQL server or any other Azure service.

    But Private endpoint is mainly a connection from a private IP address to a private IP address and the traffic is not public at all.

    By enabling a private endpoint, you're bringing the service into your virtual network.

    Client (subnet with private endpoint) ---> uses private IP address ------> to access the FQDN of the SQL server or any other Azure service which should resolve to the private endpoint IP address.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-workloads-without-custom-dns-server

    I also saw someone mentioned the private endpoint is like a special NIC. If so why don’t we call the endpoints NIC or something NIC? Is it essentially an NIC or not?

    Yes, as I mentioned above, a private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network. But this NIC is a read-only network interface which is automatically created for the lifecycle of the private endpoint. The interface is assigned a dynamic private IP address from the subnet that maps to the private-link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint. This is not something you can modify. You only have control over the Private endpoint resource.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    https://learn.microsoft.com/en-us/azure/private-link/private-link-faq#can-i-modify-my-private-endpoint-network-interface-card--nic--

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Marcin Policht 9,505 Reputation points MVP
    2024-03-31T10:11:40.05+00:00

    Both service endpoint and private endpoint are meant to eliminate the need to connect to a PaaS service via their public endpoints from Azure VMs (in a virtual network) or from on-premises (with private endpoints). This is more secure.

    Details at https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/service-endpoints-vs-private-endpoints/ba-p/3962134


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments