3.3.1. Service Endpoints vs. Private Endpoints
💡 First Principle: Both enable private access to Azure services, but with important differences. Service endpoints extend your VNet identity to the service; Private Endpoints bring the service into your VNet with a private IP.
Scenario: You have VMs that need to access an Azure Storage account. You want to ensure traffic doesn't traverse the public internet.
Comparison Table
| Aspect | Service Endpoint | Private Endpoint |
|---|---|---|
| IP Address | Service still has public IP | Service gets private IP in your VNet |
| DNS | No DNS changes needed | Requires private DNS zone |
| Traffic path | Azure backbone (not internet) | Within your VNet |
| Access from on-premises | Requires VPN/ExpressRoute + config | Works naturally via VPN/ER |
| Cost | Free | Per-endpoint hourly cost |
| Firewall integration | Via service firewall rules | Via NSGs on Private Endpoint |
⚠️ Exam Trap: Thinking service endpoints give you a private IP. Service endpoints keep the public IP but route traffic optimally over Azure's backbone. The service is still reachable from its public IP (unless you configure service firewall rules).
Service Endpoints Configuration
| Requirement | Configuration |
|---|---|
| Access storage from VNet1 (2 subnets) | 2 service endpoints (per subnet) |
| Access Entra ID from VNet2 (3 subnets) | 3 service endpoints (per subnet) |
| Total | 5 service endpoints |
Visual: Service Endpoint vs. Private Endpoint
| Aspect | Service Endpoint | Private Endpoint |
|---|---|---|
| Traffic path | Azure backbone (optimized) | Your VNet (private IP) |
| Storage sees | Public IP of service | Private IP in your VNet |
| DNS resolution | Public IP | Private IP (requires Private DNS) |
| On-premises access | ❌ Cannot use | ✅ Works via VPN/ExpressRoute |
| Cost | Free | Per-hour + data processing |
💡 Key Insight: Service Endpoints optimize the routing but still use public IPs. Private Endpoints provide a private IP in your VNet—critical for on-premises connectivity and eliminating public exposure.
