In Multi-tenant environment, For PAAS azure services access over internet was not restricted or you were not able
to restrict access to just your resources.
To overcome this challenge restriction was very complex with multi-tenant service. At the beginning only way was to use single tenant environment or running services in VM instead of using PAAS. This public access was concern so Microsoft implemented new services that allow you to limit access on multi-tenant environment.
Today we will discuss those solutions. It's kind of similar; Service Endpoint and Private Endpoint. Both are designed to allow restriction on your services to access, who can connect you services and how they do it. Sometimes it's confusing which service to use. Therefore, we'll see these services and try to make clear decision.
Service Endpoint
Service Endpoint allow you to restrict access to your PAAS resources to traffic coming from your Azure VNET. With Service Endpoint, PAAS service is still separate to your VNET, and traffic is leaving your virtual network access the PAAS Service. However, PAAS service is configured to be able to identify traffic coming from VNET and allow that without configuring public IP on your VNET.
Service Endpoint work by enabling a subnet on your VNET to support Service Endpoint. Afterwards, you can configure your PAAS resource to only accept traffic from those subnets. No need for IP filtering or NAT; you can tell PAAS resource which NET and subnet to allow traffic. When service endpoint enabled PAAS resource sees traffic coming from VNET's private IP not it's public IP.
Another advantage of using service endpoint is that traffic is routed to azure resources. Service Endpoint means traffic is
sent directly to the Azure resource.
Service Endpoint Supported by below services;
- Azure Storage
- Azure SQL Database
- Azure Synapse Analytics
- Azure Database for PostgreSQL Server
- Azure Database for MySQL Server
- Azure Key Vault
- Azure Cosmos DB
- Azure App Service
- Azure Event Hubs
- Azure Service Bus
- Azure Cognitive Services
- Azure Container Registry
Limitation
Service Endpoint can not be used by traffic originating on-premises, through VPN or Express Route, Only traffic allowed
from your Azure VNET. If you want to allow your on-prem resources to access then you need to whitelist their public IP.
Private Endpoint
Private Link is newer solution than service endpoint. The key difference between private endpoint and service endpoint is that Multi-tenant PAAS resource into VNET. With private endpoint the PAAS resource will be within your VNET and gets private IP on your VNET. When traffic will be sent to PAAS resource, it does not leave VNET.
When you use private endpoints, traffic is secured to private endpoint resource. The platform validates network connections, allowing only those that reach the specified private-endpoint resource.
In case of Azure Storage, you would need separate private endpoint to access file and blob. Private Endpoint pairs your internal services or application with standard load balancer that allow access from parties outside your network.
Access is restricted via RBAC or subscription. Client can create private endpoint and request access to private endpoint service via approval process. By doing this business can utilize private network components without trouble or security considerations of maintaining VPN connectivity or peering to consumer of their application.
DNS configuration for Private Endpoint
DNS setting that you use to connect to private endpoint also important. Existing Azure services already have DNS configuration you can use when you're connecting over public endpoint. To connect same service over private endpoint, separate DNS Settings, often configured via private DNS zones. While using FQDN ensure your DNS settings are correct.
The network interface associated with private endpoint contains the information that's required to configure your DNS.
The information includes FQDN and private IP Address for private endpoint resource.
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
Another key difference with private endpoint is that when enabled, you are granting access to a specific PAAS resource in your VNET. That means you can control egress to PAAS resources. Another scenario, you can use NSG to block access to all Azure SQL DB and then use private endpoint to grant access only to your specific Azure SQL Server.
Unlike Service Endpoint, Private Endpoint allows access from resources on your on-prem network through VPN or ExpressRoute from peered networks. You can also connect to resources across region.
Private Endpoint Support below services;
- Azure Storage
- Azure Data Lake Storage Gen 2
- Azure SQL
- Azure Synapse
- Azure Key Vault
- Azure Kubernetes Services
- Azure Virtual Desktop
Limitation
If there is an integration of Azure Private DNS then its problematic or do not need to use Azure Private DNS with your VNET.
Benefit of Private Endpoint
Benefit of the Azure Private Link is that it eliminates a huge hurdle for some organizations that are bound by compliance or governance requirements that traffic is privately secured throughout the organization. Now those organizations can connect to private endpoints via site-to-site VPN or ExpressRoute.
Extending internal resources to other departments or customers is another key benefit of Private Endpoint. Using Private Endpoint in parallel with Azure Standard Load Balancer enables you to make internal PaaS or IaaS services available via Private Endpoint to business units or external customers without allowing traffic to or from the Internet.
Pricing
- Private endpoint service, which is consistent at around $0.01/hour for most of the regions.
- Inbound data processed, will vary based on the ingress data that your private endpoint is receiving.
- Outbound data processed, will also vary based on the egress data that your private endpoint is sending.
Which to pick?
First, Look at resources you want to access and see which service it is supported by. Some services will only be supported in one or the other and so it's your choice.
Assuming you can use either option for your service then decision will come down to complexity. Service Endpoint is more easy to set up than private endpoint.
Conclusion
If you only need a secure connection between the virtual network and another resource, you should use a service endpoint, which means your resources will still have public exposure and you will be accessing those resources using the public endpoint of the resource.
However, if you need to access your azure resources from on-premises through an Azure gateway, a regionally peered virtual network, or a globally peered virtual network, use a private endpoint. The private endpoint will allow connection using the private IP of the resources, eliminating the public exposure completely.
Top comments (0)