Login
September 15, 2025|
Voiced by Amazon Polly |
Introduction
Securing connectivity to Platform-as-a-Service (PaaS) resources like Azure Storage, SQL Database, or Key Vault is critical when building applications on Azure. By default, these services are exposed over public IPs, which means traffic can flow over the public internet, even if authentication controls are enabled.
Azure provides two main approaches to restrict access: Service Endpoints and Private Endpoints. While many blogs simply define them, in this article, we’ll go hands-on with both options, using Azure CLI commands, and compare them in terms of configuration, security, and cost.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Why Securing Azure PaaS Services Is Critical?
Enterprises often handle sensitive workloads such as financial data, customer records, or intellectual property. Allowing these services to be accessible publicly (even with strong authentication) creates risks:
- Exposure to brute force or DDoS attacks.
- Compliance violations for industries like finance or healthcare.
- Unintended access from outside the corporate environment.
The goal is simple: restrict access so only your trusted network can reach your PaaS services.
Service Endpoint vs Private Endpoint
Service Endpoint: Extends your VNet’s private IP space to Azure PaaS services. The PaaS service still has a public IP, but access is locked down to your VNet/subnet.
- Easy to configure.
- No extra cost.
Private Endpoint: Creates a private IP inside your VNet for the PaaS service. This provides a direct NIC interface to the service, fully isolating it from the public internet.
- Strongest security, traffic stays within your private VNet.
- Supports on-premises and cross-region access.
Step-by-Step Guide
Step 1: Create an Azure Storage Account
We will use a Storage Account as our target PaaS service.
|
1 2 3 4 5 6 7 |
# Variables RG="demo-secure-rg" LOC="eastus" STORAGE="demostorage$RANDOM" VNET="demo-vnet" SUBNET="demo-subnet" VMNAME="demo-vm" |
# Create Resource Group
|
1 |
az group create --name $RG --location $LOC |
# Create Storage Account
|
1 2 3 4 5 6 7 |
az storage account create \ --name $STORAGE \ --resource-group $RG \ --location $LOC \ --sku Standard_LRS \ --kind StorageV2 \ --https-only true |
Step 2: Create a VNet and VM for Testing
# Create VNet with subnet
|
1 2 3 4 5 6 7 |
az network vnet create \ --name $VNET \ --resource-group $RG \ --location $LOC \ --address-prefix 10.0.0.0/16 \ --subnet-name $SUBNET \ --subnet-prefix 10.0.1.0/24 |
# Create a test VM
|
1 2 3 4 5 6 7 8 |
az vm create \ --name $VMNAME \ --resource-group $RG \ --image UbuntuLTS \ --admin-username azureuser \ --generate-ssh-keys \ --subnet $SUBNET \ --vnet-name $VNET |
You now have a Storage Account and a VM inside a VNet for testing.
Step 3: Configuring Service Endpoint
First, let’s enable Service Endpoint for Azure Storage on our subnet.
# Enable Service Endpoint for Storage
|
1 2 3 4 5 |
az network vnet subnet update \ --name $SUBNET \ --vnet-name $VNET \ --resource-group $RG \ --service-endpoints "Microsoft.Storage" |
# Restrict access to Service Endpoint
|
1 2 3 4 5 |
az storage account network-rule add \ --resource-group $RG \ --account-name $STORAGE \ --vnet-name $VNET \ --subnet $SUBNET |
Step 4: Testing Service Endpoint
SSH into the VM and try accessing Azure Blob storage:
# SSH into VM
|
1 |
az vm ssh --name $VMNAME --resource-group $RG |
# Inside VM, test storage access
|
1 |
curl https://$STORAGE.blob.core.windows.net/ |
If everything is configured, the request succeeds. Access is blocked from outside the VNet.
Step 5: Configuring Private Endpoint
Now, let’s try the Private Endpoint approach.
# Create Private Endpoint
|
1 2 3 4 5 6 7 8 |
az network private-endpoint create \ --name demo-private-endpoint \ --resource-group $RG \ --vnet-name $VNET \ --subnet $SUBNET \ --private-connection-resource-id $(az storage account show --name $STORAGE --resource-group $RG --query id -o tsv) \ --group-id blob \ --connection-name demo-storage-pe |
You’ll also need a Private DNS Zone for name resolution:
# Create DNS zone
|
1 2 3 |
az network private-dns zone create \ --resource-group $RG \ --name "privatelink.blob.core.windows.net" |
|
1 2 3 4 5 6 |
az network private-dns link vnet create \ --resource-group $RG \ --zone-name "privatelink.blob.core.windows.net" \ --name dnslink \ --virtual-network $VNET \ --registration-enabled false |
# Add DNS record for Storage
|
1 2 3 4 5 6 |
az network private-endpoint dns-zone-group create \ --resource-group $RG \ --endpoint-name demo-private-endpoint \ --name storage-dns-group \ --private-dns-zone "privatelink.blob.core.windows.net" \ --zone-name "privatelink.blob.core.windows.net" |
Step 6: Testing Private Endpoint
From inside the VM:
# Resolve DNS
|
1 |
nslookup $STORAGE.blob.core.windows.net |
# Should return a private IP like 10.0.1.5
# Test access again
|
1 |
curl https://$STORAGE.blob.core.windows.net/ |
Now your Storage Account traffic flows entirely over private IP. The service is not reachable from the public internet.
Conclusion
Both Service Endpoints and Private Endpoints are important in securing Azure PaaS resources. Service Endpoints are quick, free, and easy, ideal for development and less sensitive workloads. Private Endpoints, while more complex and slightly costlier, deliver true network isolation that many production environments demand.
By walking through CLI steps and testing connectivity, we’ve seen how each option behaves in practice. When designing your Azure architecture, balance cost vs security, and choose the right endpoint model for your workload.
Drop a query if you have any questions regarding Service Endpoints or Private Endpoints and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. Which one should I use for production?
ANS: – If compliance and strict isolation are required (e.g., banking, healthcare), use Private Endpoint. Service Endpoint may be enough if you only need simple VNet restriction without additional cost.
2. Do Service Endpoints entirely stop public access?
ANS: – No. They only restrict which VNets can access the service, but the service still has a public endpoint.
3. Do Private Endpoints work across regions?
ANS: – Private Endpoints can be used across regions and on-premises networks connected via VPN or ExpressRoute.
WRITTEN BY Rajveer Singh Chouhan
Rajveer works as a Cloud Engineer at CloudThat, specializing in designing, deploying, and managing scalable cloud infrastructure on AWS. He is skilled in various AWS services as well as automation tools like Terraform and CI/CD pipelines. With a strong understanding of cloud architecture best practices, Rajveer focuses on building secure, cost-effective, and highly available solutions. In his free time, he keeps up with the latest advancements in cloud technologies and enjoys exploring infrastructure automation and DevOps tools.
PREV
Comments