Virtual Network Service Endpoints
It didn’t make it into todays Ignite Keynote, but today Microsoft released a preview of a new Azure service, Service Endpoints. It is now possible to take Azure services that have previously only had public endpoints, and restrict these to only allow access from a specific virtual network (or multiple networks), or even specific subnets.
This preview is starting out with Azure SQL and Storage, with more services to come along soon. It’s limited to a few regions at the moment, mainly US and Australia. This service is now GA. There are also a few other limitations to be aware of:
- Access is not transitive, so if you allow access from your vNet, this does not allow access from resources connected to that vNet via VPN or ExpressRoute. If you want this access then you would add your Express Route IP’s directly to the end point as well.
- vNets should be in the same region as the resource
- Only one service endpoint for each service can be configured on each subnet, so you can’t have two different storage accounts accessible from the same subnet for example
Service Endpoints are a nice way to add some additional security to your storage account and resolve the concern that has existing for a long time that these accounts can be accessed outside of the corporate network or vNet boundary and pose an additional risk. It’s not quite having the storage or SQL server directly joined to the virtual network and addressable using private IP’s, you are still going to connect to a public URL, but it’s a good start.
Configuring Service Endpoints
Enabling a service endpoint is pretty straight forward. It can be enabled either at the time of creation for the storage account or after creation.
To add an endpoint to an existing storage account, we select the “Firewalls and Virtual Networks” option in the portal.
Here we have the option to allow access to all networks (the standard setup) or selected networks. Once we pick “selected networks” we are presented with the options to either select a specific virtual network (and subnet) or add a specific IP range if we want to allow access from an on premises network.
As we want to use a vNet, we can click the “Add Existing virtual network” option and select the vNet and subnet we want to allow access to. We can also choose to allow or not allow access from Azure services.
We save this, and we’ve now setup our service endpoint. Now our storage account cannot be accessed via it’s public URL unless we are on the specified virtual network. The process for SQL is the same.