Connectivity to Azure PaaS services

Building on the previous connectivity sections, this section explores recommended connectivity approaches for using Azure PaaS services.

Design considerations:

  • Azure PaaS services are typically accessed over public endpoints. However, the Azure platform provides capabilities to secure such endpoints or even make them entirely private:

    • Virtual network injection provides dedicated private deployments for supported services. Management plane traffic still flows through public IP addresses.

    A diagram to explain V Net injected service connectivity.

  • Enterprises often have concerns about public endpoints for PaaS services that must be appropriately mitigated.

  • For supported services, Private Link addresses data exfiltration concerns associated with VNet service endpoints. As an alternative, you can use outbound filtering via network virtual appliances (NVAs) to provide steps to mitigate data exfiltration.

Design recommendations:

  • Use virtual network injection for supported Azure services to make them available from within your virtual network.

  • Azure PaaS services that have been injected into a virtual network still perform management plane operations by using public IP addresses. Ensure that this communication is locked down within the virtual network by using UDRs and NSGs.

  • Use Private Link, where available, for shared Azure PaaS services. Private Link is generally available for several services and is in public preview for other services.

  • Access Azure PaaS services from on-premises via ExpressRoute with private peering. Use either virtual network injection for dedicated Azure services or Azure Private Link for available shared Azure services. To access Azure PaaS services from on-premises when virtual network injection or Private Link isn't available, use ExpressRoute with Microsoft peering. This method avoids transiting over the public internet.

    • Accessing Azure PaaS services from on-premises via ExpressRoute with Microsoft peering does not prevent access to the public endpoints of the PaaS service. This must be configured and restricted as required separately.
  • Use virtual network service endpoints to secure access to Azure PaaS services from within your virtual network, but only when Private Link isn't available and there are no data exfiltration concerns. To address data exfiltration concerns with service endpoints, use NVA filtering or use virtual network service endpoint policies for Azure Storage.

A diagram to explain service endpoint connectivity.

  • Don't enable virtual network service endpoints by default on all subnets.

  • Don't use virtual network service endpoints when there are data exfiltration concerns, unless you use NVA filtering.

  • We don't recommend that you implement forced tunneling to enable communication from Azure to Azure resources.