Demystifying Azure Security - Azure SQL Database and Azure Storage - Service Endpoints on Virtual Network

@20aman    Mar 10, 2018

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Azure Service Endpoints allow access to SQL or Storage services over the network, without going out of the network.

To configure this feature, you can navigate to your Virtual Network and then under the settings, select the "Service endpoints". Click on "+Add" to add a Service Endpoint.

Navigating to Service Endpoints

In the popup, select the provider for which you want to configure the Service Endpoint.

Service Endpoints on the Virtual Networks are available for:

  1. Microsoft.Sql provider
  2. Microsoft.Storage provider

Also, select the subnet on which you want to configure the Service Endpoint and then hit "Add".

Adding Service Endpoint

It will take some time (approximately 15 minutes) to configure the Service Endpoints at the backend. Once configured, you will see the configured endpoints in the portal as shown below.

Deployed Service Endpoint

Note that even after you configure service endpoint for SQL you will need to allow access at the SQL Server level as well. Service Endpoint ensures that the communication will happen at the network level. The Firewall configuration for the network is needed to allow that communication via Firewall on the SQL Server. This is explained in detail here: Azure SQL Database - Firewall Rule for Virtual Networks

Overall, this is a very powerful feature that is easy to configure and provides you with lots of flexibility.

Comments powered by Disqus