Service Endpoints exist to allow you to communicate directly from a vNet to a number of Azure public services. Creating a service endpoint in a vNet allows you to communicate privately with the relevant Azure service (a storage account for example). The service endpoint provides a secure and fast route between your vNet and the Azure service.
A typical use case would be to allow a virtual machine access to files in an Azure storage account, without sending traffic over the internet.
Some key points to remember around service endpoints:
- Not all Azure services have/support service endpoints. At the time of writing the following are available:
- Azure Storage: Generally available in all Azure regions.
- Azure SQL Database: Generally available in all Azure regions.
- Azure SQL Data Warehouse: Generally available in all Azure regions.
- Azure Database for PostgreSQL server: Generally available in Azure regions where database service is available.
- Azure Database for MySQL server: Generally available in Azure regions where database service is available.
- Azure Database for MariaDB: Generally available in Azure regions where database service is available.
- Azure Cosmos DB: Generally available in all Azure regions.
- Azure Key Vault: Generally available in all Azure regions.
- Azure Service Bus: Generally available in all Azure regions.
- Azure Event Hubs: Generally available in all Azure regions.
- Azure Data Lake Store Gen 1: Generally available in all Azure regions where ADLS Gen1 is available.
- You can use NSGs to allow access to service endpoints
- After enabling a service endpoint, the source IP addresses of virtual machines in the subnet switch from using public IPv4 addresses to using their private IPv4 address, when communicating with the service from that subnet.
Useful Links
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#virtual-network-service-endpoints