Private Endpoint VS Service Endpoint
Date published:
After working with Azure at work, I used Private Endpoint for client Infrastructure. I want to discuss the difference between Service Endpoint as both are very important in cloud networking.
What is a Private Endpoint
A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service using a Private Link. According to Microsoft, using a private endpoint allows the service to enter into your VNET. The Private Endpoint also enables a private and secure connection between your virtual network and an Azure network.
Before creating a Private Endpoint, follow Microsoft Best Practice here https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview.
This is a diagram of a private endpoint enabled on a storage account.
When creating a private endpoint, you will have an option to make it with a virtual network or use DNS to access it through the virtual network or DNS that you can use for DNS resolution for the endpoint that can link to a VNET.
To create the endpoint for most resources, such as the storage account, you will go to Security + Networking and Networking. Below you can see an example of a private endpoint created.
The private endpoint network interface will get a private IP assign from the virtual network subnet. You can view the IP address configuration by going to the network interface and the IP configuration section.
What is a Service Endpoint
The service endpoint enables communications between the VNET, and access is allowed between the subnet level or the public IP. It will generally maintain the public IP address and Microsoft DNS only resolves the IP. However, it is not available from private, on-premises networks. The Service Endpoint will access the storage account by the external IP address, and the address will go through the azure network.
You can create the Service Endpoint on the storage account by going to the networking section on the storage account and adding a virtual network by going to the option enabling from the selected virtual network.
Once a virtual network is added to it, go to the VNET and down until you see the service endpoint and ensure Microsoft Storage is set as a service before traffic is allowed.
Fruther Reading