Virtual Network Service Endpoints

As of today, Virtual Network Service Endpoints is in Preview and publicly available. This is one of the most requested features in Azure. Before this, one of the common issues regarding PaaS including Azure SQL and Storage was Public EndPoint, though Azure provides multiple ways to protect our workload and data, it was accessible from the Internet.
Image Source: Microsoft
Now, there is the possibility of locking Azure SQL and/or Storage within the Vnet or further down into  Subnet level, removing the direct access to and from the Internet. This will ensure that all your traffic with remain within your network or Azure Backbone Network and egress/ingress traffic destined to Azure Services can be inspected and forced to on-prem using Forced Tunnelling.

Limitation: 
Support only ARM model VNets and should be in the same region. 
Endpoints are enabled on Subnets configured in VNets. EndPoints can't be used for traffic originated from on-premises.

A configuration of Service Endpoint is straightforward.  Either you can provision new Azure SQL and Storage or work on existing resources.
Azure SQL :  SQL server > Firewall/Virtual Network (Preview): Choose the options "Allow access to Azure Service" if you want any Azure Services to access it- make it On else select Off. You can Add existing Virtual Network or create a new Virtual network which will access this database.
Then, you can go to the recently selected virtual network, click Service endpoints (Preview), you will see the recently added SQL service. From here also you can add SQL or Storage Service.

Note: Two-way configuration has to be performed. In VNet and Storage and SQL server.
Azure Storage: Storage Account> Under Settings: Choose Firewalls and Virtual Network

Once changes are made, effective routes will be updated.


Few Take-Aways: 
With Virtual Network Service Endpoints: 
1. Direct access to Storage Service and SQL Database from the Internet is eliminated. 
2. Access to those resources or services can be locked or confined within subnet level. 
3. Manage storage in such a way so that only private IP can access. 
4. Multi-layer Security
5. Optimal routing for Azure service traffic from your virtual network.
6. Routes added for Service Endpoint will be limited to the particular subnet.
7. No extra charges for Service endpoints.
8. No Direct access to Storage from on-premises using VPN. 

Calculation: 
Service endpoints routes override any UDR or BGP routes for the address prefix match of an Azure Service.

Comments

  1. aaronnssd4 January 2022 at 11:04

    Really appreciate this wonderful as we have seen here. This is a great source to enhance knowledge for us. Thankful to you for sharing an article like this.Network Monitoring

    ReplyDelete

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more