Azure PaaS Services such as Storage accounts, Webapps, and SQL Database are public services with public endpoints, meaning traffic and connectivity are routed over the internet to these public services. But there may be instances where there is a need to have secure connectivity (over Azure backbone network) to these public endpoint services. We will discuss one of many Azure services that will fulfill this need.
Today, I will show you the features and functionalities of Azure Service Endpoints and steps to access Azure Storage accounts from a VM privately using the same. We will also see how to use Azure service endpoint policies to restrict access to two storage accounts.
2. Prerequisites – VM and storage accounts, Storage Explorer Setup
Before we go ahead and understand the working of Service endpoints, we need to have a few resources in place. We will need to have one Windows VM and two storage accounts to understand the working of service endpoint policies.
Here I have taken a VM of size B4ms (4 core 16 GB) with the Operating system of Windows Server 2019 Datacenter – Gen2
We will have to have two storage accounts in place. Here I have created two below storage accounts endpointstorage001 and endpointstorage002 both in the same region as the VM East US 2 and having LRS as redundancy
We also have created containers blob1 in both accounts and uploaded sample files
Now we connect and access these storage accounts from inside the VM using a storage explorer. We make use of the Account name and key to connect to the storage account. For steps to connect storage accounts to storage explorer refer to my blog mentioned above.
Now repeat the same step for endpointstorage002
We can see from the below image that we can connect to storage accounts successfully from vm over the public internet.
In the next section, we will see how to connect to storage accounts over the Microsoft backbone network and restrict access to the internet
3. Service Endpoint Connectivity
In this section, we will see how to set up service endpoints and their functionality.
First, we navigate to the Virtual network where the VM is situated and navigate to the section of service endpoints
Next, we select on ADD button to add the list of accessible public services through service endpoints. The list is below image out of which we select Microsoft storage
We also select the subnet to which we are attaching the service endpoint
Now we navigate to one of the storage accounts and go to the networking section for it. Then select on allow access from networks chosen, select the Vnet and subnet as given in the image below, and click on ADD. We can add an existing virtual network because the service endpoint is enabled
When we try to access the storage account endpointstorage001 from the Storage browser over the public internet, we are denied access, as shown below. But the same storage account can be accessed from inside the VM (part of the virtual network ) using storage explorer
4. Service Endpoint Policies
Azure service endpoints have another feature called service endpoint policies which allows us to restrict access from VNET where the endpoint is deployed to specific Storage accounts or (PasS services).
To set up a search for service endpoint policy in the Azure portal. Provide details as mentioned in the below image and click on create and create the policy
After creating the policy, we associate it to a subnet using subnet association.
Now to test, when we try to access the storage accounts from inside the VM, we won’t be able to access objects inside endpointstorage002 as the policy only allows access to endpointstorage001, thus our policy works.
5. Connectivity to Secondary Location
This section will go over a scenario for service endpoints with storage accounts. Azure storage accounts usually have multiple redundancy options such as LRS (Locally Redundant storage), ZRS (Zone Redundant Storage, and GRS ( Geo-redundant storage). So, in GGRS-based redundancy, when we store data in a storage account, another copy of data is created and stored in another pair region.
So if we have a service endpoint in place from one virtual network to connect to the storage account in the primary region say “East US “and this region goes down then connectivity to the secondary pair region say “Central US” can’t be done through service endpoint. So to have access to our data in the Backup storage account in the secondary region, “Central US “, we need to have another virtual network in place and a new service endpoint, a new VM to have secure access to this backup Storage Account.
6. Additional Points
No additional cost to use a service endpoint.
No Limit on the total number of service endpoints that we can use in a virtual network
An important point to note is that though the connectivity to the Azure storage account happens over the Azure backbone network, the endpoint used to connect to the Azure storage account is public.
Today we have seen ways to restrict public access to Azure storage accounts (Azure PASS service) and connect privately over the Azure backbone network. There are other options, too, such as Azure Private endpoints and private links, which provide several capabilities to connect to resources privately which would be part of the discussion for some other day.
8. About CloudThat
CloudThatis the authorized AWS Well-Architected Partner, helping other businesses build secure, high-performing, resilient, and efficient infrastructures for their application and workloads.
CloudThat is also the official Microsoft Gold Partner, AWS Advanced Consulting Partner, and Training partner helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Microsoft Azure Service Endpoints, Virtual Machines and storage accounts, or consulting opportunities, and I will get back to you quickly. To get started, go through ourExpert Advisorypage and Managed Services Package that isCloudThat’s offerings.
Q1. What is the cost that we will incur for enabling service endpoints?
Ans: There is no cost associated with using service endpoints.
Q2. If all services in Azure reside within a Vnet why do we need a service endpoint?
Ans: Not all services of Azure reside inside a VNet, Some services such as Azure Storage, Azure SQL, and Azure Cosmos DB are outside Vnet. Hence to have private connectivity from services inside a Vnet we make use of service endpoints.