I guess I'm missing something, but I just don't get Service Endpoints.
Let's say I have Azure SQL, and I want to secure it as much as possible. Now, I can use the Firewall IP rules to protect from unauthorized access from the public web.
This, if I get it right, has nothing do to with Service Endpoint.
So I can set an endpoint to connect, say, a VM in my subscription to the Azure SQL. But what's the difference if I do or don't have a service endpoint? From what I gathered, the service endpoint makes my resources access the SQL via Azure backbone instead of via the public IP. So that means that service endpoints has nothing to do with outside access, which is still protected using the Firewall's IP rules.
Is that correct?
Does service endpoint protect against Azure resources accessing using public IP?
I really feel I miss something...
Thanks!
A Service Endpoint makes an Azure resources directly accessibile whithin a virtual network.
The SEP will expose a private IP address in the virtual network, and all virtual machines connected to that network will be able to reach the resource directly via this private IP address, without having to exit the network and go through the Internet.
From my knowledge, service end point are used for most managed resources like sql server, storage accounts, keg vault etc. On white listing particular subnet, you are setting a service end points at the host. Post this all traffic from the source to the whitelisted destination is via the microsoft backbone network.
On the contrary if you set public network, the traffic will flow into the public network.
Likewise there arw private end points which is for 1-1 traffic flow.