5.2. Service Endpoints
Before Private Link existed, how did you restrict a storage account to only your VNet? Service Endpoints were the answer—and they're still useful today. They extend your VNet identity to PaaS services, allowing those services to restrict access to your VNet only, though traffic still uses the service's public IP.
💡 First Principle: Service Endpoints keep traffic on Microsoft's backbone (like Private Link) but use the service's public IP. Think of it like a members-only entrance—you still go through the main door (public IP), but only VNet members are allowed in. The security is identity-based (your VNet's identity), not network-based (private IP).
What breaks without Service Endpoints (or Private Link):
- Your storage account is reachable from any IP on the internet
- Compliance audits fail because PaaS services have public exposure
- Data exfiltration is easier—attackers just need valid credentials
Consider when to use each: Service Endpoints are free and require no DNS changes—great for simple scenarios within Azure. Private Endpoints cost money but work from on-premises, support cross-region, and provide true network isolation.
Private Endpoints vs Service Endpoints:
| Aspect | Service Endpoint | Private Endpoint |
|---|---|---|
| IP address | Public IP of service | Private IP in your VNet |
| On-premises access | Requires firewall rules | Via VPN/ExpressRoute with DNS |
| DNS | No change needed | Requires Private DNS |
| Cross-region | Regional only | Global |
| Cost | Free | Per-endpoint + data processing |
| NSG support | Yes | Requires enablement |
When to Use Service Endpoints:
- Cost-sensitive scenarios
- Don't need on-premises private access
- Regional-only requirements
- Simpler setup acceptable
