Virtual Network Service Endpoints
As of today, Virtual Network Service Endpoints is in Preview and publicly available. This is one of the most requested features in Azure. Before this, one of the common issues regarding PaaS including Azure SQL and Storage was Public EndPoint, though Azure provides multiple ways to protect our workload and data, it was accessible from the Internet.
Image Source: Microsoft |
Now, there is the possibility of locking Azure SQL and/or Storage within the Vnet or further down into Subnet level, removing the direct access to and from the Internet. This will ensure that all your traffic with remain within your network or Azure Backbone Network and egress/ingress traffic destined to Azure Services can be inspected and forced to on-prem using Forced Tunnelling.
Limitation:
Support only ARM model VNets and should be in the same region.
Endpoints are enabled on Subnets configured in VNets. EndPoints can't be used for traffic originated from on-premises.
A configuration of Service Endpoint is straightforward. Either you can provision new Azure SQL and Storage or work on existing resources.
Azure SQL : SQL server > Firewall/Virtual Network (Preview): Choose the options "Allow access to Azure Service" if you want any Azure Services to access it- make it On else select Off. You can Add existing Virtual Network or create a new Virtual network which will access this database.
Then, you can go to the recently selected virtual network, click Service endpoints (Preview), you will see the recently added SQL service. From here also you can add SQL or Storage Service.
Note: Two-way configuration has to be performed. In VNet and Storage and SQL server.
Note: Two-way configuration has to be performed. In VNet and Storage and SQL server.
Azure Storage: Storage Account> Under Settings: Choose Firewalls and Virtual Network
Once changes are made, effective routes will be updated.
Once changes are made, effective routes will be updated.
With Virtual Network Service Endpoints:
1. Direct access to Storage Service and SQL Database from the Internet is eliminated.
2. Access to those resources or services can be locked or confined within subnet level.
3. Manage storage in such a way so that only private IP can access.
4. Multi-layer Security
5. Optimal routing for Azure service traffic from your virtual network.
6. Routes added for Service Endpoint will be limited to the particular subnet.
7. No extra charges for Service endpoints.
8. No Direct access to Storage from on-premises using VPN.
Calculation:
Service endpoints routes override any UDR or BGP routes for the address prefix match of an Azure Service.
6. Routes added for Service Endpoint will be limited to the particular subnet.
7. No extra charges for Service endpoints.
8. No Direct access to Storage from on-premises using VPN.
Calculation:
Service endpoints routes override any UDR or BGP routes for the address prefix match of an Azure Service.
Really appreciate this wonderful as we have seen here. This is a great source to enhance knowledge for us. Thankful to you for sharing an article like this.Network Monitoring
ReplyDelete