Exploring Azure Service Endpoints Features And Functionalities
TABLE OF CONTENTS
1. Overview2. Storage Explorer Setup and Prerequisites-VM. Service Endpoint Connectivity4. Service Endpoint Policies5. Connectivity to Secondary Location6. Additional Points7. Conclusion 8. CloudThat 9. FAQs1. Overview
Azure PaaS Services like Storage accounts, Webapps and SQL Database are public services that have public endpoints. This means that traffic and connectivity are routed via the internet to these public services. There may be situations where you need secure connectivity (over the Azure backbone network), to these public endpoints services. This need will be addressed by one of the many Azure services.
Today I will demonstrate the features and functionality of Azure Service Endpoints. Also, I will show you how to access Azure Storage accounts privately from a VM using the same. We will also learn how to use Azure Service Endpoint Policies to restrict access to two storage account.
2. Prerequisites – Storage accounts, Storage Explorer Setup
Before we can understand the operation of Service endpoints, it is important to have some resources. To understand the operation of Service endpoint policies, we will need one Windows VM and two storage account.
Here is a VM size B4ms (4 core 16 GB), with the Operating System of Windows Server 2019 Datacenter – Gen2
Storage explorer will be installed in our VM. This will allow us to understand how storage accounts are accessed using service endpoints. You can read the blog Setup, Connect and Understand the Working of Microsoft Azure Storage Explorer.
Two storage accounts will be required. Here are the two storage accounts I created: endpointstorage001 & endpointstorage002, both located in the same region of the VM East USA 2 and with LRS as redundancy
We have also created containers blob1 for both accounts and uploaded sample file(s).
We can now connect to these storage accounts and access them from within the VM by using a storage explorer. To connect to the storage account, we use the Account name and key. My blog contains detailed instructions on how to connect storage accounts with storage explorer.
Next, repeat the same steps for endpointstorage002.
The below image shows that we can successfully connect to storage accounts from vm over public internet.
Next, we’ll show you how to connect storage accounts to the Microsoft backbone network.
3. Service Endpoint Connectivity
This section will show you how to set up service endspoints and their functionality.
We first navigate to the Virtual network, where the VM is located, and then navigate to the section on service endpoints
Next, click on the ADD button to add public services via service endpoints. Below is an image of the list. We choose Microsoft storage.
We also choose the subnet to attach the service endpoint.
Navigate to one of the storage accounts, and then go to the networking section. Next, click on Allow Access from Networks Chosen. Select the Vnet or subnet shown in the image and click on ADD. If the service endpoint has been enabled, we can add a virtual network to an existing one.
As shown below, when we attempt to access the storage account endpointstorage001 via the Storage browser over public internet, we are denied access. However, the same storage account can also be accessed inside a VM (part the virtual network) by using storage explorer
4. Service Endpoint Policies
Azure service endpoints also have a feature called service policy. This allows us to restrict access to VNET where the endpoint has been deployed to specific Storage accounts (or (PasS) services).
To create a search for service policy in Azure portal. Enter the details in the image below and click on create to create the policy
After creating the poli