Virtual network integration for Azure services

Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. You can integrate Azure services in your virtual network with the following options: Directly deploying dedicated instances of the service into a virtual network. The services can then be privately accessed within the virtual network and from on-premises networks. By extending a virtual network to the service, through service endpoints. Service endpoints allow individual service resources to be secured to the virtual network.

To integrate multiple Azure services to your virtual network, you can combine one or more of the above patterns. For example, you can deploy HDInsight into your virtual network and secure a storage account to the HDInsight subnet through Service endpoints.

Deploy Azure services into virtual networks

When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.

Services deployed in a virtual network

Deploying services within a virtual network provides the following capabilities:

  • Resources within the virtual network can communicate with each other privately, through private IP addresses. Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.
  • On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
  • Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.
  • Service instances in a virtual network are fully managed by the Azure service, to monitor health of the instances, and provide required scale, based on load.
  • Service instances are deployed into a subnet in a virtual network. Inbound and outbound network access must be opened through network security groups for the subnet, per guidance provided by the services.
  • Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet.

Services that can be deployed into a virtual network

Category Service
Compute Virtual machines: Linux or Windows
Virtual machine scale sets
Cloud Service: Virtual network (classic) only
Azure Batch
Network Application Gateway - WAF
VPN Gateway
Azure Firewall
Network Virtual Applicances
Data RedisCache
Azure SQL Database Managed Instance
Analytics Azure HDInsight
Azure Databricks
Identity Azure Active Directory Domain Services
Containers Azure Kubernetes Service (AKS)
Azure Container Instance (ACI)
Azure Container Service Engine with Azure Virtual Network CNI plug-in
Web API Management
App Service Environment


Service endpoints for Azure services

Some Azure services can't be deployed in virtual networks. You can restrict access to some of the service resources to only specific virtual network subnets, if you choose, by enabling a virtual network service endpoint. Learn more about virtual network service endpoints, and the services that endpoints can be enabled for.