have two questions: If I want to configure a service endpoint between a subnet and a Storage service, does the virtual machine that is part of the subnet need a public IP? How can I verify whether the connection is established over the internet or the Microsoft backbone network? Regards

Hello HASSAN BIN NASIR DAR Answering your questions No, the virtual machine (VM) that is part of the subnet does not need a public IP to configure a service endpoint between the subnet and a Storage service. Service endpoints uses private IP addresses in the virtual network (VNet) to reach the endpoint of an Azure services https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-network-service-endpoints-overview To verify the connection is established over the internet or the Microsoft backbone network, you can check the effective routes on the network interface of the VM. Also consider that traffic to a Storage Account in same region as a VM always traverses over the Microsoft Backbone Network. It does not matter if you have enabled service end point or not. Service EndPoint simply "allows" the traffic at the Storage Account. If you were to not to enable service end point, you will see a 4xx Error when you access the Storage account If service end point is enabled, you will see a 200 HTTP Success. In both the cases, traffic will always be on Microsoft Backbone Network and will use private IP of the VM as source. https://zcusa.951200.xyz/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules https://zcusa.951200.xyz/en-us/answers/questions/1664558/traffic-through-microsoft-backbone-network

Service Endpoint deployment

HASSAN BIN NASIR DAR 326

have two questions:

If I want to configure a service endpoint between a subnet and a Storage service, does the virtual machine that is part of the subnet need a public IP?
How can I verify whether the connection is established over the internet or the Microsoft backbone network?

Regards

Keshavulu Dasari 2,420 Reputation points Microsoft Vendor

2024-12-24T03:50:55.08+00:00
Hi HASSAN BIN NASIR DAR,
When you configure a service endpoint, the VM in the subnet can access the Azure Storage service using its private IP address. The traffic is routed through the Microsoft backbone network, not the internet. The VM does not need a public IP to access the storage URL because the service endpoint ensures that the traffic stays within Azure's network

Service Endpoint vs. Private Endpoint:

Service Endpoint: When you enable a service endpoint, the traffic from your virtual network to the Azure service (like Storage) is routed through the Microsoft backbone network. The service endpoint allows the Azure service to identify traffic coming from your virtual network's private IP addresses, even though the service itself is accessed via its public endpoint.

Private Endpoint: This creates a private IP address within your virtual network for the Azure service. All traffic between your virtual network and the service stays entirely within the Azure network, using private IP addresses. This means the service is accessed directly via its private IP, providing an additional layer of security.

with a service endpoint, the traffic is routed through the Microsoft backbone network but still uses the public endpoint of the service. With a private endpoint, the service is accessed via a private IP within your virtual network, ensuring all traffic remains private.
For more information
https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/service-endpoints-vs-private-endpoints/3962134

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
HASSAN BIN NASIR DAR 326 Reputation points

2024-12-24T10:11:19.3433333+00:00

Hi

can you explain what does it mean “ But still it uses the public endpoint of the service” ?

for example if I I have service endpoint for storage . Does it mean public ip of storage?
HASSAN BIN NASIR DAR 326 Reputation points

2024-12-24T10:56:59.5133333+00:00

Hi

Can you little explain me, what does it mean "but still uses the public endpoint of the service."? For example, in my case I am using service endpoint for storage account. Does it mean connection will be established between VM's private IP and public endpoint of storage service (Public IP)?
Keshavulu Dasari 2,420 Reputation points Microsoft Vendor

2024-12-25T07:18:13.44+00:00

Hi HASSAN BIN NASIR DAR,
When you use a service endpoint for your storage account, the connection is established between your VM's private IP and the public endpoint of the storage service.

Service Endpoint: Your VM uses its private IP to connect to the Azure Storage service. The traffic is routed over the Microsoft backbone network, ensuring it doesn't traverse the public internet. However, the storage service itself is accessed via its public endpoint (public IP address). This setup enhances security by keeping the traffic within Microsoft's network.

Private Endpoint: In contrast, a private endpoint assigns a private IP address to the Azure Storage service within your VNet. This means both your VM and the storage service communicate entirely over private IPs within your VNet, never using the public internet or public IPs.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
HASSAN BIN NASIR DAR 326 Reputation points

2024-12-25T10:31:57.73+00:00

Thank you so much. Now my concept is clear.

Can you explain to me that what it mean? It doesn’t matter whether we use the service point or not, connection will always be established over Microsoft private backbone network. Please see the below points. I could not understand.

Regards
Keshavulu Dasari 2,420 Reputation points Microsoft Vendor

2024-12-26T04:30:47.17+00:00

Hi HASSAN BIN NASIR DAR,
I'm glad your concept is clear now! Same Region Traffic: When both the VM and the storage account are in the same region, the traffic between them always traverses the Microsoft Backbone Network. This means that the data never leaves Microsoft's internal network, ensuring secure and efficient communication.

Service Endpoint Role: The service endpoint allows the traffic from your VNet to reach the storage account. Without the service endpoint, the storage account would reject the traffic, resulting in a 4xx error (client error). With the service endpoint enabled, the storage account accepts the traffic, resulting in a 200 HTTP success (successful connection).

Traffic Path: Regardless of whether the service endpoint is enabled or not, the traffic between the VM and the storage account will always use the Microsoft Backbone Network. The key difference is that without the service endpoint, the storage account will not accept the traffic from your VNet

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

1 answer

Andriy Bilous 11,616 Reputation points MVP

2024-12-23T22:21:20.6766667+00:00
Hello HASSAN BIN NASIR DAR

Answering your questions

No, the virtual machine (VM) that is part of the subnet does not need a public IP to configure a service endpoint between the subnet and a Storage service. Service endpoints uses private IP addresses in the virtual network (VNet) to reach the endpoint of an Azure services
https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

To verify the connection is established over the internet or the Microsoft backbone network, you can check the effective routes on the network interface of the VM.

Also consider that traffic to a Storage Account in same region as a VM always traverses over the Microsoft Backbone Network.

It does not matter if you have enabled service end point or not.

Service EndPoint simply "allows" the traffic at the Storage Account.

If you were to not to enable service end point, you will see a 4xx Error when you access the Storage account

If service end point is enabled, you will see a 200 HTTP Success.

In both the cases, traffic will always be on Microsoft Backbone Network and will use private IP of the VM as source.

https://zcusa.951200.xyz/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules

https://zcusa.951200.xyz/en-us/answers/questions/1664558/traffic-through-microsoft-backbone-network
Please sign in to rate this answer.
HASSAN BIN NASIR DAR 326 Reputation points

2024-12-24T02:54:19.5866667+00:00

So, it means if vm and storage both have same region both will use Microsoft backbone network not a internet.

But without public IP how vm can open storage url?

Second thing, I heard that if we enable private endpoint then communication will be start with private IP but if we enable service endpoint then communication will be start with public ip over Microsoft backbone network.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Service Endpoint deployment

1 answer

Your answer