Virtual network integration for Azure services

Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. You can integrate Azure services in your virtual network with the following options:

  • Deploying dedicated instances of the service into a virtual network. The services can then be privately accessed within the virtual network and from on-premises networks.
  • Extending a virtual network to the service, through service endpoints. Service endpoints allow individual service resources to be secured to the virtual network.

To integrate multiple Azure services to your virtual network, you can combine one or more of the above patterns. For example, you can deploy HDInsight into your virtual network and secure a storage account to the HDInsight subnet through Service endpoints.

Deploy Azure services into virtual networks

When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.

Services deployed in a virtual network

Deploying services within a virtual network provides the following capabilities:

  • Resources within the virtual network can communicate with each other privately, through private IP addresses. Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.
  • On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
  • Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.
  • Service instances in a virtual network are typically fully managed by the Azure service. This includes monitoring the health of the resources and scaling with load.
  • Service instances are deployed into a subnet in a virtual network. Inbound and outbound network access for the subnet must be opened through network security groups, per guidance provided by the service.
  • Certain services also impose restrictions on the subnet they are deployed in, limiting the application of policies, routes or combining VMs and service resources within the same subnet. Check with each service on the specific restrictions as they may change over time. Examples of such services are Azure NetApp Files, Dedicated HSM, Azure Container Instances, App Service.
  • Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. By delegating, services get explicit permissions to create service-specific resources in the delegated subnet.
  • See an example of a REST API response on a virtual network with a delegated subnet. A comprehensive list of services that are using the delegated subnet model can be obtained via the Available Delegations API.

Services that can be deployed into a virtual network

Category Service Dedicated¹ Subnet
Compute Virtual machines: Linux or Windows
Virtual machine scale sets
Cloud Service: Virtual network (classic) only
Azure Batch
No
No
No
No²
Network Application Gateway - WAF
VPN Gateway
Azure Firewall
Network Virtual Appliances
Yes
Yes
Yes
No
Data RedisCache
Azure SQL Database Managed Instance
Yes
Yes
Analytics Azure HDInsight
Azure Databricks
No²
No²
Identity Azure Active Directory Domain Services No
Containers Azure Kubernetes Service (AKS)
Azure Container Instance (ACI)
Azure Container Service Engine with Azure Virtual Network CNI plug-in
No²
Yes

No
Web API Management
App Service Environment
Azure Logic Apps
Yes
Yes
Yes
Hosted Azure Dedicated HSM
Azure NetApp Files
Yes
Yes

¹ 'Dedicated' implies that only service specific resources can be deployed in this subnet and cannot be combined with customer VM/VMSSs
² Recommended, but not a mandatory requirement imposed by the service.

Service endpoints for Azure services

Some Azure services can't be deployed in virtual networks. You can restrict access to some of the service resources to only specific virtual network subnets, if you choose, by enabling a virtual network service endpoint. Learn more about virtual network service endpoints, and the services that endpoints can be enabled for.