Integrating cloud services gives IT teams more capabilities and adds functionality to their projects, but they still need to lock down access to keep resources secure. Virtual networks help promote network isolation and allow enterprises to privately communicate with service resources.
Microsoft Azure provides numerous ways to enable private connectivity, including deploying dedicated instances, adding service tags and using endpoints. In this tip, we will focus on two options: Azure Private Link and service endpoints. While each of these approaches achieves a similar result, they operate in different ways.
What is Azure Private Link?
Azure Private Link is a service that allows IT teams to run an Azure platform as a service (PaaS) offering directly within their virtual network (VNet) by mapping it to a private endpoint. IT teams retain control over which endpoints can access which PaaS resources. Since the private endpoint is mapped to a resource, not the service, there is more protection against data leakage.
Like the service endpoint approach, this setup restricts connectivity to your resources, but IT teams may have to configure more complex rules to do so.
Azure Private Link supports 32 Azure services, including Azure Storage, Azure SQL Database, Azure Monitor and Azure Managed Disks.
What are Azure service endpoints?
Service endpoints let you define a certain subnet or subnets within your cloud's VNet that can communicate with a PaaS offering. IT teams can restrict connectivity between the cloud environment and a service, without having to perform complex IP filtering.
Service endpoints currently support 14 services, including Azure Storage, Azure SQL Database, Azure App Service and Azure Cognitive Services.
What are the differences?
The primary difference between these methods to restrict access is that while service endpoints keep PaaS resources outside your VNet, Private Link brings them directly into your VNet.
Other key differences include:
- Private Link is more complex to configure. You need to make room for it within your VNet, and you need to configure mappings between your endpoints and your Azure PaaS resources.
- Private Link keeps all traffic within your VNet, which may be desirable from a security standpoint and prevent data leakage.
- Service endpoints generally deliver better performance due to their simpler configuration and use of optimized routes.
In general, using service endpoints is a fast way to interface between a VNet and a service. Meanwhile, Private Links offer considerably greater control and security, but at the cost of a more complex setup process. Keep in mind that each option supports a different list of Azure PaaS offerings -- so if the service you are working with is supported by only one service, you'll need to use that one.
Lastly, in its documentation, Microsoft recommends using Azure Private Link for secure and private access to services hosted on Azure platform.