Azure Virtual Network service endpoints

As your business embraces Microsoft Azure, it is imperative to ensure that your data remains secure/protected and you are minimizing costs. One of the ways to increase security and minimize costs is through a Microsoft Azure Virtual Network (vNet) service endpoint.

Let us first explainwhat a Microsoft Azure vNet Service Endpoint does. Quite simply, it allows you to connect to an Azure service (ie: Microsoft Storage, Azure SQL, etc), utilizing the Azure backbone network. This means that:

  • Data/traffic will not have to traverse over the public internet
  • No data egress changes will be incurred

The following diagram highlights the flow of traffic if a vNet service endpoint is not configured:

We can see from the diagram that data will traverse the internet and egress fees will be incurred.

NOTE:

Please note that the example is showing Veeam Backup for Azure, but the same type of traffic flow will be generated when not using a service endpoint with:

  • When a Veeam scale-out backup repository is configured in a Microsoft Azure VM and you are offloading to Azure blob
  • A Veeam Backup for Microsoft 365 proxy server(s) is deployed within Microsoft Azure

Please note that the example is showing Veeam Backup for Azure, but the same type of traffic flow will be generated when not using a service endpoint with:

The next logical question is, what happens when a vNet service endpoint is configured?

We can see that the vNet service endpoint will allow the Azure Virtual machine to connect with Microsoft Azure services (in the diagram it will be the Microsoft Storage service) as if they were part of the same vNet.

How does Microsoft Azure make this happen? What is occurring “under the hood”? When a service endpoint is configured (within a vNet), the network interface for the virtual machine that is connecting to that vNet will have its routing table updated. We can see this through the “Effective Routes” interface:

Example of “Effective Routes” not having vNet service endpoint configured:

Example of “Effective Routes” having a vNet service endpoint configured:

Last but certainly not least… how do we configure a vNet service endpoint? The first step is to ensure that the following resources have been previously created:

  • A powered on virtual machine connected to a vNet
  • A Microsoft Azure storage account
    • Please note that we are using a storage account for this example, but other service(s) can be configured in the same manner

Once the above are created, we are ready to move forward with the following steps:

1. Add a service endpoint within a specific vNet:

2. Select “Microsoft.Storage” from the list of services and the appropriate subnet:

Once added, the following will be displayed under “Service Endpoints”:

3. Update the Storage Account networking to “Enabled from selected virtual networks and IP addresses” and select the applicable vNet:

4. Verify that the “Effective Routes” have been updated to include the VirtualNetworkServiceEndpoint route:

It is that simple!

Now that the vNet service endpoint has been configured, you can be assured that your Veeam backup data will remain within Azure and there will be no unexpected egress charges from Microsoft.