At some point, I imagine most people working with Azure VMs have hit issues with being able to connect to services running inside a vNet. A lot of the time these issues boil down to the configuration of Network Security Groups to allow traffic into the VM. The process of troubleshooting these issues and determining which NSG and which NSG rule is at fault can be time-consuming, especially with complex networks.
Historically Azure Network Security Groups (NSG’s) have only allowed you to enter a single value for things things like source or destination IP and source or destination port. This has meant that for complex setups you end up with a very large amount of NSG’s. This is especially if you are trying to filter a large amount of IP’s, for example the Azure Data Center IP ranges, which is a common requirement if you want to restrict outbound access but allow access to PaaS resources.
It didn’t make it into todays Ignite Keynote, but today Microsoft released a preview of a new Azure service, Service Endpoints. It is now possible to take Azure services that have previously only had public endpoints, and restrict these to only allow access from a specific virtual network (or multiple networks), or even specific subnets. This preview is starting out with Azure SQL and Storage, with more services to come along soon.