In “Securing service traffic in Azure – Part 1” I talked about using private endpoints to secure traffic between your Azure services. In this part, I explain another way to secure your traffic between Azure services using service endpoints.
So why not just use private endpoints?
As I demonstrated in Part 1, by configuring a private endpoint, I successfully secured traffic between my function app and my data source, so why would we use something else? The two primary reasons are:
- Purpose – You should only ever deploy the minimum required services to support your environment. Private endpoints are designed to provide “private” routable access to a service running in Azure. This means traffic from anywhere within your network environment can access this endpoint. If your only requirement is to secure traffic between services in Azure, then the routing capability is not required.
- Cost – For each private endpoint there is a cost required to run the endpoint, approximately $9USD/month. As usage of endpoints increase, so to do your costs scale and this can add up quickly over time.
If our only purpose is to secure traffic between services in Azure, then this is where service endpoints provide an alternative.
The Test Environment
Like Part 1 of this series, for simplicity, I will continue to use a test environment that consists of:
- A storage account hosting a CSV file of data.
- A PowerShell function app based on a http trigger that will retrieve the data from the CSV file.
Securing the storage account with a service endpoint
This time, the first step to securing the storage account is to use the firewall to disable public access and restrict access to selected virtual networks:
In this case I am connecting to the subnet used in Part 1 of this series. Similar to disabling public network access completely, by restricting to specific virtual networks, I have now disabled access from the internet:
and my function app no longer works:
Securing the service traffic in Azure by linking the function app to the storage account
Just like with private endpoints, I need to link the function app to the service endpoint that was created when I restricted the access to specific virtual network subnets. This is done in exactly the same method for private endpoints by enabling “virtual network integration” and linking it to the same subnet used for the storage account.
Now our environment will look like this:
- The function app is integrated with the virtual network
- The storage account has a delegation to the same subnet as the virtual network integration
- Storage access is now only accessible within the Azure fabric and not across the open internet
And now, my function app is again returning data from the file on the storage account:
In part 3, I will demonstrate how to present a protected address with traffic secured between each layer.
One thought on “Securing service traffic in Azure – Part 2”