Virtual network integration for Azure services
Integrating Azure services to an Azure virtual network allows private access from instances of a service deployed in the virtual network.
You can integrate Azure services with your virtual network with the following options:
- Directly deploying dedicated instances of the service into a virtual network. The dedicated instances of these services can be privately accessed within the virtual network and from on-premises networks.
- By extending a virtual network to the service, through service endpoints. Service endpoints allow individual service resources to be secured to the virtual network.
Deploy Azure services into virtual networks
You can communicate with most Azure resources over the Internet through public IP addresses. When you deploy Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.
Deploying services within a virtual network provides the following capabilities:
- Resources within the virtual network can communicate with each other privately, through private IP addresses. Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.
- On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
- Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.
- Service instances in a virtual network are fully managed by the Azure service, to monitor health of the instances, and provide required scale, based on load.
- Service instances are deployed into a dedicated subnet in a virtual network. Inbound and outbound network access must be opened through network security groups for the subnet, per guidance provided by the services.
Services that can be deployed into a virtual network
Each service directly deployed into virtual network has specific requirements for routing and the types of traffic that must be allowed into and out of subnets. For more information, see:
- Virtual machines: Linux or Windows
- Service fabric
- Virtual machine scale sets
- App Service Environment
- API Management
- VPN Gateway
- Application Gateway (internal)
- Azure Container Service Engine: The Azure Container Service creates a default virtual network. You can create a custom virtual network to use with the Azure Container Service Engine.
- Azure Active Directory Domain Services: Virtual network (classic) only
- Azure Batch: Virtual network (classic) only
- Cloud services: Virtual network (classic) only
You can deploy an internal Azure load balancer to load balance many of the resources in the previous list. In some cases, the service automatically creates and deploys a load balancer, when you create a resource.
Service endpoints for Azure services
Some Azure services can't be deployed in virtual networks. You can restrict access to some of the service resources to only specific virtual network subnets, if you choose, by enabling a virtual network service endpoint. Learn more about virtual network service endpoints.
Currently, service endpoints are supported for the following services:
- Azure Storage: Securing Azure Storage accounts to Virtual Networks
- Azure SQL Database: Securing Azure SQL Database to Virtual networks
Virtual network integration across multiple Azure services
You can deploy an Azure service into a subnet in a virtual network and secure critical service resources to that subnet. For example, you can deploy HDInsight into your virtual network and secure a storage account to the HDInsight subnet.