9

I am not able to understand the difference between service endpoints and private endpoints clearly.

Need help preferably with an example.

user961
  • 453
  • 6
  • 20

1 Answers1

13

You might have seen this in the Private Link FAQ:

  • Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
  • A Service Endpoint remains a publicly routable IP address. A Private Endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.

For simplicity, let's take the view of a VM in a VNET connecting to a storage account in the same subscription and same Azure region. There are three ways to connect.

Connect to PaaS Services

  1. Default

    By default all traffic goes against the public endpoint of the storage account. Source IP of the traffic is the Public IP of the VM.

  2. Service Endpoints

    Traffic is still directed against the public endpoint of the storage account but the source IP has changed to the private IP of the VM. In fact, the traffic is also using the VNET and Subnet as source in the network dataframe.

  3. Private Endpoints

    The PaaS service now gets a virtual network interface inside the subnet and traffic from the VM to the storage account is now directed against the private IP address.

By far the best collection of useful information around Private Link that I have seen on the web is in this repository: https://github.com/dmauser/PrivateLink

You can also find some examples here: https://jeffbrown.tech/azure-private-service-endpoint/

holger
  • 788
  • 6
  • 8
  • 2
    does it mean that the blob storage(which is outsite my vnet) is accessible only to subnet using service endpoints, and will not be accessible to any other resource like ADF because the service endpoint is only configured for the virtual network. – user961 Sep 20 '22 at 08:08
  • 1
    No, you can still use ADF to connect to your storage account. But if you want to lock down the storage account to limit public access you will need to grant access to trusted azure services (since ADF would be a trusted Azure Service) https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-to-trusted-azure-services Theoretically (though maybe unlikely) anyone using a 'trusted azure service' could try to connect to your storage account (if they had a key/token). – holger Sep 20 '22 at 08:13
  • 2
    But you have mentioned - "This essentially gives you the ability to lock down the service from the public internet, except for services from your subnet." in the above explanation and this is really confusing. – user961 Sep 21 '22 at 09:26
  • 1
    So I am not getting what is the actual difference between the private endpoint and service endpoint – user961 Sep 21 '22 at 09:32
  • 1
    Okay, I guess I was just adding more confusion to the whole question. :-) I have edited it and visualized it with an example of a VM connecting to a storage account. Does that make more sense? – holger Sep 21 '22 at 20:44
  • so using a service endpoint, any service behind a virtual network via its private IP, can access the service outside virtual network on its public IP. – user961 Sep 26 '22 at 07:46
  • I was able to do a wget that resolved on my private machine even with a private link endpoint was setup and public access was turned off. I would expect that a private link endpoint would only resolve for other services on the same vnet. Do you have any insight to my misunderstanding here? – Joshua Enfield Jun 06 '23 at 18:44
  • https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#2-how-dns-resolution-works-before-and-after-private-endpoints This seems to indicate the ip resolves differently for external vs internal requests, which kind of makes sense. But why is there external resolution at all? – Joshua Enfield Jun 06 '23 at 18:53