Virtual network integration for Azure services
Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. You can integrate Azure services in your virtual network with the following options: Directly deploying dedicated instances of the service into a virtual network. The services can then be privately accessed within the virtual network and from on-premises networks. By extending a virtual network to the service, through service endpoints. Service endpoints allow individual service resources to be secured to the virtual network.
To integrate multiple Azure services to your virtual network, you can combine one or more of the above patterns. For example, you can deploy HDInsight into your virtual network and secure a storage account to the HDInsight subnet through Service endpoints.
Deploy Azure services into virtual networks
When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.
Deploying services within a virtual network provides the following capabilities:
- Resources within the virtual network can communicate with each other privately, through private IP addresses. Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.
- On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
- Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.
- Service instances in a virtual network are fully managed by the Azure service, to monitor health of the instances, and provide required scale, based on load.
- Service instances are deployed into a subnet in a virtual network. Inbound and outbound network access must be opened through network security groups for the subnet, per guidance provided by the services.
- Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet.
Services that can be deployed into a virtual network
|Compute||Virtual machines: Linux or Windows
Virtual machine scale sets
Cloud Service: Virtual network (classic) only
|Network||Application Gateway - WAF
Network Virtual Applicances
Azure SQL Database Managed Instance
|Identity||Azure Active Directory Domain Services|
|Containers||Azure Kubernetes Service (AKS)
Azure Container Instance (ACI)
Azure Container Service Engine with Azure Virtual Network CNI plug-in
App Service Environment
Service endpoints for Azure services
Some Azure services can't be deployed in virtual networks. You can restrict access to some of the service resources to only specific virtual network subnets, if you choose, by enabling a virtual network service endpoint. Learn more about virtual network service endpoints, and the services that endpoints can be enabled for.