Azure Private Link & Service Endpoints

“Welcome back. Today we tackle a common Azure security question: how do you connect to Azure PaaS services like Storage, SQL Database, and Key Vault without the traffic going over the public internet? By default, these services have public endpoints — reachable from anywhere. For compliance and security, you want your VMs to reach these services through your private network. Azure provides two mechanisms: Service Endpoints and Private Link.”

“By default, when a VM in your VNet connects to Azure Storage, that traffic leaves your VNet, goes through Azure's public backbone, and reaches the storage account's public IP address. Even though it stays within Azure's network, it passes through public address space. Security-conscious organizations and compliance frameworks require that sensitive data traffic stays within the private network. Two Azure features address this: Service Endpoints, which are simpler and free, and Private Link, which is more secure and flexible.”

“Service Endpoints are a subnet-level feature. When you enable Microsoft.Storage service endpoint on a subnet, Azure adds optimal routes so traffic to Storage goes through Azure's internal backbone rather than out through the public internet. The storage account can then be configured with a VNet firewall rule allowing only traffic from that subnet, blocking all public access. Service Endpoints are free and easy to configure, but the storage account still has a public IP address — it's just firewall-protected. The traffic exits your VNet address space, which is why some compliance frameworks require Private Link instead.”

“Private Link goes further than Service Endpoints. A Private Endpoint is a network interface card with a private IP address from your VNet's address space, mapped to a specific PaaS service instance. Traffic from your VM to the storage account goes: VM → private IP in VNet → Azure networking → storage account, never leaving your VNet address space. The storage account no longer needs a public IP to be accessible from your network. Private Endpoints work across VNet peering, VPN Gateway, and ExpressRoute connections — your on-premises servers can reach Azure PaaS services through the private IP.”

“Private Link requires a Private DNS Zone — this is where people get tripped up. When you create a Private Endpoint for Storage, DNS for the storage account hostname initially still resolves to the public IP. You create a Private DNS Zone with the name privatelink.blob.core.windows.net, add an A-record mapping the storage account hostname to its private IP, and link the zone to your VNet. Now VMs in that VNet resolve the storage account to its private IP automatically. For on-premises servers connecting via VPN or ExpressRoute, use Azure DNS Private Resolver to forward DNS queries to Azure, enabling private name resolution from on-premises.”

“Choosing between Service Endpoints and Private Link: Service Endpoints are free and simple — enable on a subnet, add firewall rules to the service, done. They work well for preventing internet access to PaaS services. Private Link is more expensive and complex to set up, requiring private endpoints and DNS configuration. But Private Link provides stronger isolation: the service's traffic is fully within your private IP space, it works across VNet peering and on-premises connections, and it prevents data exfiltration — an attacker in your network can't route traffic to a different tenant's storage account through a service endpoint.”

“In a hub-spoke architecture, centralize Private Endpoints in the hub VNet. Create the Private Endpoint and Private DNS Zone in the hub, link the DNS zone to both hub and all spoke VNets. Spoke VMs resolve PaaS service hostnames to private IPs in the hub VNet, traffic flows through hub peering to the private endpoint, and Azure Firewall in the hub can inspect that traffic. One Private Endpoint shared by all spokes is more cost-efficient than creating a Private Endpoint per spoke — Private Endpoints have a per-hour charge.”

“Securing PaaS access is a fundamental step in the Zero Trust journey — never trust the public internet when you can route traffic privately. Service Endpoints for simple scenarios, Private Link for compliance-sensitive workloads. Next episode we go deep on Azure DevOps release strategies — blue-green deployments, canary releases, and feature flags for zero-downtime deployments.”