Difference between Service and Private end points

HASSAN BIN NASIR DAR 306 Reputation points
2021-08-16T10:24:30.957+00:00

Hi,

Below statement is correct?

If we want to enable service endpoint on the storage. It will be enable on all storage account. If we want to enable on one specific storage account, in that case we will use Private endpoint. Service endpoint can not be enable on specific storage account.

Please reply me as soon as possible.

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
473 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,016 Reputation points Microsoft Employee
    2021-08-16T12:28:06.433+00:00

    Hello @HASSAN BIN NASIR DAR ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Yes, the statement you provided is true. However, there is a feature in Service endpoints to restrict virtual network traffic to specific Azure Storage accounts. You can use Virtual Network Service endpoint policies which allows you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over service endpoint.

    123585-image.png

    Endpoint policy allows you to add specific Azure Storage accounts to allow list, using the resourceID format. You can restrict access to

    1. all storage accounts in a subscription
      E.g. /subscriptions/subscriptionId

    2) all storage accounts in a resource group
    E.g. subscriptions/subscriptionId/resourceGroups/resourceGroupName

    3) an individual storage account by listing the corresponding Azure Resource Manager resourceId. This covers traffic to blobs, tables, queues, files and Azure Data Lake Storage Gen2.
    E.g. /subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Storage/storageAccounts/storageAccountName

    By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts will be denied.

    Please refer the following doc for more information : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful