Secure Connectivity To Azure PaaS Services
As a cloud architect or a security engineer, it is very critical from a design perspective to make a secure connection to PaaS based service.
Join the DZone community and get the full member experience.Join For Free
When you provision any PaaS-based service in Azure, it comes with a public endpoint. As a cloud architect or security engineer, you have to make a secure connection to PaaS based service. This is very critical from a design perspective. Today we will see what options we have in this regard.
While securing access to a public endpoint, the service endpoint comes in handy. It is part of your virtual network which provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Service endpoints enable private IP addresses in the Virtual Network (VNet) to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Below is the diagram that depicts that VM with private running inside virtual network and want to access storage account. To achieve this, first enable service endpoint to the only virtual network where VM is running.
Steps To Enable Service Endpoint
Step 1: Enable service endpoint on the required Virtual network. Endpoint policies can be optional. It allows you to filter virtual network traffic to Azure services.
Step 2: Go to the firewall or network setting of the PaaS service and add the service endpoint.
Step 3: Verify the endpoint service is enabled to use.
Important Points to Note
- Ensure IP firewall rules are allowed before setting up service endpoints.
- Service endpoint does not support on-premise resources to connect to PaaS-based service. You have to use either on-premise NAT IP or express route in that case. You must allow these public IP addresses in the resource IP firewall setting.
- Service endpoint is limited to few PaaS-based services. The available Services are Azure Storage, Azure Database services, Azure Synapse Analytics, Azure Key Vault, Azure Service Bus, Azure Event Hubs, Azure Data Lake Store Gen 1, Azure App Service, and Azure Cognitive Services.
- To access SQL and Data lake service over service endpoint, VNet and PaaS services should be in the same region.
- Service endpoint does not resolve DNS queries
You do not need to pay additional charges for service endpoint and there is no limit on the total number of service endpoints to create.
After discussing the service endpoint, now we will see about the Private endpoint. It uses a private IP address from your Virtual network (VNet), effectively bringing the PaaS-based service into your Virtual network. It is a network interface that connects you privately and securely to a service powered by Azure Private Link.
Below is the diagram that depicts that VM with private running inside virtual network and want to access storage account. To achieve this, first set up a private endpoint to only the virtual network where VM is running.
Steps to Configure Private Endpoint
Step 1: Go inside the PaaS service, the private endpoint creation option will be available inside the firewall and networking section or a separate section will be given.
To deploy a private endpoint or private link service, a user must have assigned a built-in role like Owner, Contributor, or Network contributor.
Also, we have created a private endpoint only for the blob of the storage account. If you need secure access to other resources of storage accounts, like files, tables, or queues then you need to have a separate private endpoint connection in place.
Private endpoint supports a wide range of Azure services and it is not limited to the public cloud. It supports a hybrid cloud as well. My on-premise VM can connect to Azure services powered by a private link over VPN or express route.
With every private endpoint, one NIC is created with dynamic private IP of the same subnet. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint.
Every service comes with some limitations as well. Here are those:
- Support only IPv4 traffic.
- Work on TCP and UDP traffic.
- Basic Azure LB is not supported.
The Azure security center having Azure security benchmark provides recommendations on how you can secure your cloud solutions on Azure.
Unlike Azure service endpoint, private endpoint comes with charges for endpoint creation, ingress/egress data processed.
On a closing note, I would suggest choosing the service endpoint and private endpoint wisely. A service endpoint remains a publicly routable IP address. A private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
I am sharing a YouTube video here to check the demo on these services: https://www.youtube.com/watch?v=g7J_YWlfGnk
Opinions expressed by DZone contributors are their own.