Home > other >  Queries regarding Private Endpoint
Queries regarding Private Endpoint

Time:09-28

Until now I assumed that the traffic flowing between 2 azure resources (say between an Azure VM & Storage Account or a Key Vault) was through the internet, if private and service endpoints are not configured. But today a colleague of mine shared an article where it says that all the traffic between the Azure datacenters does not go through the internet, it's on Microsoft's backbone network only. Link to the article - https://azure.microsoft.com/en-in/blog/how-microsoft-builds-its-fast-and-reliable-global-network/

Now there could be 2 things:

  1. Either the article is now outdated (it is from 2017) and no longer true, and w/o any special configuration the traffic between 2 azure resources flows through the internet, or,
  2. The traffic indeed flows through the Microsoft's network and not through the internet, but in that case, what's the benefit of Private endpoint apart from the fact that we can assign a private IP to a PaaS service.

Any insights in this regards would be highly appriciated. Thanks in Advance!

CodePudding user response:

  1. Yes all the traffic which is between Azure services travels over Microsoft backbone network. This is documented here

    Yes, any traffic between data centers, within Microsoft Azure or between Microsoft services such as Virtual Machines, Microsoft 365, XBox, SQL DBs, Storage, and virtual networks are routed within our global network and never over the public Internet, to ensure optimal performance and integrity.

  2. Service endpoints provide an extra layer of isolation and security , as per Microsoft Docs :

    Network connections can only be initiated by clients connecting to the private endpoint. Service providers don't have routing configuration to create connections into service consumers. Connections can only be established in a single direction.

To understand the private endpoints in better way I would recommend to read more about Private Link Service as well.

CodePudding user response:

The difference is that services with Private Endpoint are not reachable from anywhere else but your VNet.

If you have an VM -> Storage without private endpoint, the traffic will go over the MS network, but your storage endpoint is public (I can reach it from my laptop :) )

If you place your storage in a VNet with private endpoints, then I need to be able to access the VNet in order I can reach the storage endpoint

  • Related