Configure Virtual Network Service Endpoints

Virtual Network (VNet) service endpoints allow you to secure Azure service resources to your Azure Virtual Network, fully removing the Internet access to these resources. Service endpoints provide direct connection from your virtual network to an Azure service, allowing you to use your VNet’s private address space to access the Azure services. Traffic destined to Azure services through service endpoints always stays on the Microsoft Azure backbone network. Learn more about "Virtual network service endpoints”

This article provides steps to enable and disable service endpoints. Once endpoints are enabled on a subnet to an Azure service, you can secure specific service resources to a virtual network.

Service endpoints can be configured using Azure portal, Azure PowerShell, Azure command-line interface, or an Azure Resource Manager template.

Note

During preview, Vnet service endpoints feature is supported for specific regions. For the list of supported regions, refer to the Azure Virtual Network updates page.

Service endpoint configuration overview

  • Service endpoints can only be configured on VNets deployed through Azure Resource Manager deployment model.

  • Service endpoints are set on each subnet of a VNet.

  • For a subnet, you can only configure one service endpoint to a service. You can configure multiple service endpoints to different services (say, Azure Storage, Azure SQL).

  • You can enable the endpoints on a new or existing subnet.

  • Location is configured automatically for an endpoint. By default, service endpoints are configured to the VNet's region. For Azure Storage, to support regional failover scenarios, endpoints are automatically configured to Azure paired regions.

    Note

    Depending on the size of VNet/subnet, enabling service endpoint may take some time to finish. Ensure no critical tasks are in progress when enabling service endpoints. Service endpoints switch routes on every NIC in your subnet and may terminate any open TCP connections.

  • Service endpoint call returns “succeeded” after traffic flows to the service on all NICs in the subnet have been switched to Vnet private IP addresses.

  • Effective Routes to validate endpoint configuration:

    To validate if service endpoint is configured correctly, "effective routes" on any NIC in the subnet shows a new "default" route with nextHopType: VirtualNetworkServiceEndpoint, per service, per region. Learn more about troubleshooting with effective routes

    Note

    Effective routes can only be viewed if you have one or more network interfaces (NICs) configured and associated with a running virtual machine in the subnet.

Azure Portal

Setting up service endpoint on a subnet during VNet Create

  1. Open Azure portal. Log in to Azure using your Azure account. If you don't have an Azure account, you can sign up for a free trial. The account must have the necessary permissions to create a virtual network and service endpoint.
  2. Click +New > Networking > Virtual network > +Add.
  3. On "Create virtual network", enter the following values, and then click Create:
Setting Value
Name myVnet
Address space 10.0.0.0/16
Subnet name mySubnet
Subnet address range 10.0.0.0/24
Resource group Leave Create new selected, and then enter a name.
Location Any supported region, say, Australia East
Subscription Select your subscription.
ServiceEndpoints Enabled
Services Select one or all of the available services. At the time of preview, supported services: "Microsoft.Storage", "Microsoft.Sql".

Select services for endpoints: Select Service Endpoint Services

  1. Validate all the settings are correct and click "Create".

Set service endpoint

  1. To finish securing Azure service resources to your VNet, click on the service documentation in Next steps.

Validating service endpoint configuration

Confirm the service endpoints are configured using following steps:

  • In resources, click on “Virtual Networks". Search for the VNet.
  • Click on the Vnet name and navigate to “Service Endpoints”
  • Configured endpoints show as “Succeeded”. Auto-configured locations can also be seen

Confirm Serice Endpoint Configuration

Effective routes to validate endpoint configuration

To view effective route on a network interface (NIC) in the subnet, click on any NIC in that subnet. Under "Support + Troubleshooting", click "Effective routes". If endpoint is configured, you will see a new "default" route with address prefixes of the service as destination, and nextHopType as "VirtualNetworkServiceEndpoint".

Effective routes for service endpoints

Setting up service endpoints for existing subnets in a VNet

  1. In resources, click on “Virtual networks” and search for any existing VNet
  2. Click on the VNet name and navigate to “Service endpoints”
  3. Click “Add”. Select “Service”. You can create an endpoint to only one service at a time.
  4. Select all the subnets where you want to apply the endpoint. Click “Add”

Subnet Service Endpoint Configuration

Deleting service endpoints

  1. In resources, click on “Virtual Networks". Search for an existing VNet by filtering on VNet name.
  2. Click on the Vnet name and navigate to “Service Endpoints”
  3. Click on the service name and right-click on the service endpoint entry
  4. Select "Delete"

Service Endpoint Deletion

Azure Powershell

Set-up pre-requisites:

  • Install the latest version of the PowerShell AzureRm module. If you're new to Azure PowerShell, see Azure PowerShell overview.
  • To start a PowerShell session, go to Start, enter powershell, and then click PowerShell.
  • In PowerShell, log in to Azure by entering the login-azurermaccount command. The account must have the necessary permissions to create a virtual network and service endpoint.

Get available service endpoints for Azure region

Use the command below to get the list of services supported for endpoints, for an Azure region.

Get-AzureRmVirtualNetworkAvailableEndpointService -location eastus

Output:

Name ID Type
Microsoft.Storage /subscriptions/xxxx-xxx-xxx/providers/Microsoft.Network/virtualNetworkEndpointServices/Microsoft.Storage Microsoft.Network/virtualNetworkEndpointServices
Microsoft.Sql /subscriptions/xxxx-xxx-xxx/providers/Microsoft.Network/virtualNetworkEndpointServices/Microsoft.Sql Microsoft.Network/virtualNetworkEndpointServices

Add Azure Storage service endpoint to a subnet mySubnet while creating the virtual network myVNet

$subnet = New-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet" -AddressPrefix "10.0.1.0/24" -ServiceEndpoint “Microsoft.Storage”

New-AzureRmVirtualNetwork -Name "myVNet" -AddressPrefix "10.0.0.0/16" -Subnet $subnet -ResourceGroupName "myRG" -Location "WestUS"

You can enable multiple services by using comma-separated list of service names. Example: "Microsoft.Storage", "Microsoft.Sql"

Expected Output:

Subnets : [
            {
            "Name": "mySubnet",
             ...
            "ServiceEndpoints": [
              {
                   "ProvisioningState": "Succeeded",
                    "Service": "Microsoft.Storage",
                    "Locations": [
                        "westus",
                        "eastus"
                                 ]
               }
                                ],
            "ProvisioningState": "Succeeded"
            }
          ]

To finish securing Azure service resources to your VNet, click on the service documentation in Next steps.

Add multiple service endpoints to an existing subnet

Get-AzureRmVirtualNetwork -ResourceGroupName "myRG" -Name "myVNet" | Set-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet"  -AddressPrefix "10.0.1.0/24" -ServiceEndpoint "Microsoft.Storage", "Microsoft.Sql" | Set-AzureRmVirtualNetwork

Expected Output:

Subnets : [
            {
                "Name": "mySubnet",
                 ...
                "ServiceEndpoints": [
                {
                    "ProvisioningState": "Succeeded",
                    "Service": "Microsoft.Storage",
                    "Locations": [
                        "eastus",
                        "westus"
                                 ]
                },
                {
                    "ProvisioningState": "Succeeded",
                    "Service": "Microsoft.Sql",
                    "Locations": [
                        "eastus"
                                 ]
                }
                ],
               "ProvisioningState": "Succeeded"
            }
         ]

View service endpoints configured on a subnet

$subnet=Get-AzureRmVirtualNetwork -ResourceGroupName "myRG" -Name "myVNet" | Get-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet"
$subnet.ServiceEndpoints

Output:

ProvisioningState Service           Locations
----------------- -------           ---------
Succeeded         Microsoft.Storage {eastus, westus}
Succeeded         Microsoft.Sql     {eastus}

Delete service endpoints on a subnet

Get-AzureRmVirtualNetwork -ResourceGroupName "myRG" -Name "myVNet" | Set-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet"  -AddressPrefix "10.0.1.0/24" -ServiceEndpoint $null | Set-AzureRmVirtualNetwork

Azure CLI

Set-up pre-requisites:

Get available service endpoints for Azure region

Use the command below to get the list of services supported for endpoints, for an Azure region, say "EastUS".

az network vnet list-endpoint-services -l eastus

Output:

    {
    "id": "/subscriptions/xxxx-xxxx-xxxx/providers/Microsoft.Network/virtualNetworkEndpointServices/Microsoft.Storage",
    "name": "Microsoft.Storage",
    "type": "Microsoft.Network/virtualNetworkEndpointServices"
     },
     {
     "id": "/subscriptions/xxxx-xxxx-xxxx/providers/Microsoft.Network/virtualNetworkEndpointServices/Microsoft.Sql",
     "name": "Microsoft.Sql",
     "type":   "Microsoft.Network/virtualNetworkEndpointServices"
     }

Add Azure Storage service endpoint to a subnet mySubnet while creating the virtual network myVNet

az network vnet create -g myRG -n myVNet --address-prefixes 10.0.0.0/16 -l eastUS

az network vnet subnet create -g myRG -n mySubnet --vnet-name myVNet --address-prefix 10.0.1.0/24 --service-endpoints Microsoft.Storage

To add multiple endpoints: --service-endpoints Microsoft.Storage Microsoft.Sql

Output:

{
  "addressPrefix": "10.0.1.0/24",
  ...
  "name": "mySubnet",
  "networkSecurityGroup": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "myRG",
  "resourceNavigationLinks": null,
  "routeTable": null,
  "serviceEndpoints": [
    {
      "locations": [
        "eastus",
        "westus"
      ],
      "provisioningState": "Succeeded",
      "service": "Microsoft.Storage"
    }
  ]
}

To finish securing Azure service resources to your VNet, click on the service documentation in Next steps.

Add multiple service endpoints to an existing subnet

az network vnet subnet update -g myRG -n mySubnet2 --vnet-name myVNet --service-endpoints Microsoft.Storage Microsoft.Sql

Expected Output:

{
  "addressPrefix": "10.0.2.0/24",
  ...
  "name": "mySubnet2",
  ...
  "serviceEndpoints": [
    {
      "locations": [
        "eastus",
        "westus"
      ],
      "provisioningState": "Succeeded",
      "service": "Microsoft.Storage"
    },
    {
      "locations": [
        "eastus"
      ],
      "provisioningState": "Succeeded",
      "service": "Microsoft.Sql"
    }
  ]
}

View service endpoints configured on a subnet

az network vnet subnet show -g myRG -n mySubnet --vnet-name myVNet

Delete service endpoints on a subnet

az network vnet subnet update -g myRG -n mySubnet --vnet-name myVNet --service-endpoints ""

Output:

{
  "addressPrefix": "10.0.1.0/24",
  ...
  "name": "mySubnet",
  "networkSecurityGroup": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "myRG",
  "resourceNavigationLinks": null,
  "routeTable": null,
  "serviceEndpoints": null
}

Resource Manager Template

Securing Azure service resources to VNets

You can secure specific Azure resources to your virtual network through service endpoints.

Download the sample Resource Manager template to secure a storage account to a subnet in a VNet.

The template creates a VNet with 2 subnets, a VM with a NIC in each of the subnets. Enables endpoint on one subnet and secures a storage account to that subnet.

You can download the template and modify parts of it to fit your scenario.

Instructions are provided with the template for deploying the template using the Azure portal, PowerShell, or the Azure CLI. Ensure you have the required permissions to set up the endpoint and secure the account.

To secure Azure resources to a subnet:

  • a service endpoint should be configured on that subnet.
  • the resource should be secured to the vnet by adding a virtual network rule on the resource.

Deleting service endpoints with resources secured to the subnet

If Azure service resources are secured to the subnet and the service endpoint is deleted, you cannot access the resource from the subnet anymore. Re-enabling the endpoint alone won't restore access to the resources previously secured to the subnet.

To secure the service resource to this subnet again, you need to:

  • enable the endpoint again
  • remove the old vnet rule on the resource
  • add a new rule securing the resource to the subnet

Provisioning

Service endpoints can be configured on virtual networks independently, by a user with write access to virtual network.

To secure Azure service resources to a VNet, the user must have permission to "Microsoft.Network/JoinServicetoaSubnet" for the subnets being added. This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.

Learn more about built-in roles and assigning specific permissions to custom roles.

VNets and Azure service resources can be in the same or different subscriptions. If these are in different subscriptions, the resources should be under the same Active Directory (AD) tenant, at the time of this preview.

Next Steps

For more instructions to secure service resource to VNets, refer to below links:

Securing Azure Storage accounts to Virtual Networks

Securing Azure SQL to Virtual networks