VNet Peering and Service Endpoints
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Mastering Azure Connectivity: VNet Peering and Service Endpoints
Introduction: The Backbone of Azure Networking
When you begin architecting solutions in Microsoft Azure, one of the first realizations you encounter is that virtual machines, databases, and application services do not exist in a vacuum. They reside within Virtual Networks (VNets), which act as the private, isolated environments for your cloud resources. However, as your architecture grows from a single application to a complex ecosystem of microservices, data layers, and multi-tier environments, the need for these isolated networks to communicate becomes paramount.
Connecting these resources securely and efficiently is the primary job of Azure networking. Two of the most critical mechanisms for achieving this are VNet Peering and Service Endpoints. While both tools aim to solve the problem of connectivity, they operate at different layers of the networking stack and serve distinct purposes. VNet Peering is your go-to solution for connecting entire networks together, allowing resources in one VNet to talk to resources in another as if they were on the same private network. Service Endpoints, on the other hand, focus on securing the path between your VNet and specific Azure Platform-as-a-Service (PaaS) resources, effectively extending your private network identity to services like Azure SQL or Azure Storage.
Understanding the nuance between these two tools is not just an academic exercise; it is the foundation of building secure, performant, and cost-effective cloud infrastructure. If you misconfigure these, you risk exposing sensitive data to the public internet, creating unnecessary latency, or driving up your monthly cloud bill. This lesson will walk you through the mechanics of each, demonstrate how to implement them, and provide the professional guidance needed to make the right architectural choices for your projects.
Part 1: VNet Peering – Bridging Virtual Networks
VNet Peering is the process of connecting two or more Virtual Networks in Azure. When you peer two VNets, they appear as a single network for connectivity purposes. Traffic between virtual machines in peered VNets uses the Microsoft backbone network, meaning it stays off the public internet, which provides high bandwidth and low latency.
The Mechanics of Peering
There are two primary types of peering: Virtual Network Peering (within the same region) and Global Virtual Network Peering (across different Azure regions). Regardless of the type, the peering connection is non-transitive. This means if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A does not automatically have connectivity to VNet C. You must explicitly configure the peering between A and C if that path is required.
Callout: Peering vs. VPN Gateways A common question is when to use VNet Peering versus a VPN Gateway. VNet Peering is intended for connecting Azure VNets directly. It offers significantly higher throughput and lower latency because it uses the internal Microsoft backbone. VPN Gateways are generally used for connecting your Azure environment to an on-premises network or for specific scenarios where you require encryption protocols that VNet Peering cannot provide. If you are strictly connecting Azure-to-Azure, VNet Peering should almost always be your first choice.
Implementation Steps
To configure VNet Peering, you must have the necessary permissions on both VNets. You can perform this through the Azure portal, Azure PowerShell, or the Azure CLI. Here is how you would establish a peering connection using the Azure CLI.
# Define your variables
RG="myResourceGroup"
VNET1="myVNet1"
VNET2="myVNet2"
# Get the IDs of the two VNets
VNET1_ID=$(az network vnet show --name $VNET1 --resource-group $RG --query id --output tsv)
VNET2_ID=$(az network vnet show --name $VNET2 --resource-group $RG --query id --output tsv)
# Create the peering from VNet1 to VNet2
az network vnet peering create \
--name "PeerVNet1ToVNet2" \
--resource-group $RG \
--vnet-name $VNET1 \
--remote-vnet $VNET2_ID \
--allow-vnet-access
# Create the peering from VNet2 to VNet1 (Bi-directional is required)
az network vnet peering create \
--name "PeerVNet2ToVNet1" \
--resource-group $RG \
--vnet-name $VNET2 \
--remote-vnet $VNET1_ID \
--allow-vnet-access
Best Practices for Peering
- Address Space Planning: Never overlap your address spaces. If VNet A uses
10.0.0.0/16and VNet B also uses10.0.0.0/16, you cannot peer them. Always plan your IP addressing scheme before creating your VNets to avoid massive re-architecting tasks later. - Use Hub-and-Spoke: Instead of a mesh of connections where every VNet is peered with every other VNet, use a Hub-and-Spoke topology. The Hub contains shared services (like firewalls or VPN gateways), and spokes peer only to the hub. This simplifies routing and security management.
- Monitor Peering Health: Azure Peering status can be "Initiated," "Connected," or "Disconnected." Always monitor this status, as a misconfiguration in the reverse-peering step can leave the connection in an unusable state.
Part 2: Service Endpoints – Securing PaaS Connectivity
While VNet Peering connects VNets, Service Endpoints connect your VNet to Azure PaaS services. When you create an Azure SQL Database or an Azure Storage account, they are by default accessible via a public IP address over the internet. While these services have their own firewall rules, using Service Endpoints adds a layer of security by routing the traffic to these services exclusively over the Azure backbone network.
Why Use Service Endpoints?
When you enable a Service Endpoint for a specific service (like Microsoft.Storage) on a specific subnet, the traffic from your virtual machines to that storage account is tagged with your VNet's identity. The storage account can then be configured to "Allow access from selected virtual networks." This means even if someone has the correct connection string and password, they cannot access the storage account unless their request originates from the authorized VNet.
Note: Service Endpoints do not provide a private IP address to the PaaS service. The service still resolves to its public DNS name. The "magic" happens in the Azure routing table, which ensures the traffic never leaves the Microsoft network to reach the destination service.
Configuring Service Endpoints
Configuring a Service Endpoint is a two-step process. First, you enable the service on the subnet. Second, you update the PaaS resource firewall to accept traffic from that subnet.
Step 1: Enable the Service Endpoint on the Subnet (Azure CLI)
az network vnet subnet update \
--resource-group myResourceGroup \
--vnet-name myVNet \
--name mySubnet \
--service-endpoints Microsoft.Storage
Step 2: Update the Storage Account Firewall After enabling the endpoint, you must tell the storage account to trust the subnet.
az storage account network-rule add \
--resource-group myResourceGroup \
--account-name mystorageaccount \
--subnet /subscriptions/{sub-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/mySubnet
Common Pitfalls with Service Endpoints
- Forgetting the Firewall Rule: Many users enable the Service Endpoint on the VNet but forget to update the resource's firewall settings. This results in the resource remaining public-facing, defeating the purpose of the endpoint.
- Scope Confusion: Service Endpoints are subnet-specific. If you have an application on Subnet A and a database on Subnet B, you must enable the endpoint on both if both need to communicate with the PaaS service.
- Routing Conflicts: If you use forced tunneling (sending all traffic to an on-premises firewall), Service Endpoints might be bypassed or blocked. Always ensure your User-Defined Routes (UDRs) don't conflict with the default system routes that Azure creates for Service Endpoints.
Part 3: Comparison and Architectural Integration
To choose the right tool, you must understand how they complement each other. VNet Peering is about network-to-network communication, while Service Endpoints are about network-to-service communication.
Quick Reference Table: Peering vs. Service Endpoints
| Feature | VNet Peering | Service Endpoints |
|---|---|---|
| Primary Goal | Connects two VNets together | Connects VNet to PaaS services |
| Network Path | Microsoft Backbone | Microsoft Backbone |
| IP Addressing | Requires unique, non-overlapping IPs | No IP constraints on the PaaS side |
| Management | Managed via VNet settings | Managed via Subnet and Resource settings |
| Security | Isolates traffic between networks | Limits service access to specific VNets |
Advanced Concept: Private Link
It is important to mention Azure Private Link, as it is the evolution of Service Endpoints. While Service Endpoints are great, they still use the public endpoint of the PaaS service. Private Link gives the PaaS service a private IP address inside your VNet. This is the gold standard for security, as it completely eliminates the need for public IP addresses on your database or storage account.
Callout: Choosing Between Service Endpoints and Private Link Service Endpoints are generally easier to set up and have no additional cost. However, they still expose a public DNS entry for the resource. Private Link is more secure because it provides a private IP inside your network, but it requires additional configuration (Private DNS Zones) and incurs a small hourly cost for the Private Endpoint. For most enterprise applications, Private Link is becoming the preferred choice.
Part 4: Common Mistakes and How to Avoid Them
Even experienced engineers fall into traps when dealing with Azure networking. Below are the most frequent issues and how to avoid them.
1. The "Default Route" Trap
When you create a VNet, Azure automatically adds a "System Route" to the internet. If you are trying to use Service Endpoints or VNet Peering to keep traffic private, you might accidentally override these routes with a custom route (UDR) that forces traffic out to an NVA (Network Virtual Appliance). If your NVA is not configured to handle the traffic to the Azure PaaS service, your application will lose connectivity.
- Avoidance: Use the "Effective Routes" feature in the Azure portal to inspect exactly where traffic is being sent. If you see traffic going to the internet instead of the service, check your UDRs.
2. Over-Peering
Some teams create a "Full Mesh" peering architecture, where every single VNet is peered with every other VNet. This creates an unmanageable amount of peering links and makes it extremely difficult to update address spaces or troubleshoot routing issues.
- Avoidance: Adopt a Hub-and-Spoke model. Keep your core network services in a central hub and peer only the spokes to that hub.
3. Ignoring DNS
Peering VNets does not automatically share DNS settings. If you have a VM in VNet A trying to reach a service in VNet B by name, it will fail unless you have a shared DNS server or have configured Azure Private DNS Zones to link both VNets.
- Avoidance: Always implement Azure Private DNS Zones. You can link a single Private DNS Zone to multiple VNets, allowing them to resolve each other's resources by private name effortlessly.
Part 5: Practical Implementation Scenario
Imagine you are building a three-tier application:
- Web Tier: Public-facing VMs.
- App Tier: Internal logic VMs in a separate VNet.
- Data Tier: Azure SQL Database.
The Architecture:
- You use VNet Peering to connect the Web Tier VNet and the App Tier VNet.
- You use a Service Endpoint (or Private Link) on the App Tier subnet to talk to the SQL Database.
- You use Network Security Groups (NSGs) on the Web Tier to allow only port 443.
- You use an NSG on the App Tier to allow traffic only from the Web Tier subnet.
Step-by-Step Implementation Guide:
- Create VNets: Create two VNets with non-overlapping address spaces (e.g.,
10.1.0.0/16and10.2.0.0/16). - Establish Peering: Use the CLI commands provided in Part 1 to peer the two networks.
- Set up NSGs: Create an NSG for the App Tier. Add an inbound rule:
Source: 10.1.0.0/16(Web Tier),Destination: Any,Port: 8080,Protocol: TCP,Action: Allow. - Enable Service Endpoint: Run the CLI command in Part 2 to enable
Microsoft.Sqlon the App Tier subnet. - Lock Down SQL: Navigate to the Azure SQL server in the portal, go to "Networking," select "Selected networks," and add the App Tier subnet to the firewall rule list.
This setup ensures that:
- The web tier cannot talk directly to the database.
- The database cannot be reached from the public internet.
- The app tier is protected by a firewall that only accepts traffic from the web tier.
Part 6: Best Practices for Enterprise Environments
In a professional setting, networking is about governance as much as it is about connectivity. Follow these industry-standard practices to maintain sanity:
- Infrastructure as Code (IaC): Never configure peering or endpoints manually in the portal for production environments. Use Terraform or Bicep. This ensures your networking state is version-controlled and reproducible.
- Least Privilege: When configuring NSGs (which are used alongside peering and endpoints), always follow the principle of least privilege. Do not use
Anyas a source or destination if you can specify a precise IP range or a Service Tag. - Service Tags: Use Azure Service Tags in your NSG rules. Instead of manually updating IP addresses when Azure changes their infrastructure, use tags like
Sql.WestUSorStorage.EastUS. This keeps your rules dynamic and resilient. - Monitoring: Use Azure Network Watcher. Its "Next Hop" tool is invaluable for debugging why traffic isn't reaching a peered VNet or a service endpoint. "Connection Troubleshoot" can also run automated tests to see if your security rules are blocking traffic.
Part 7: Summary and Key Takeaways
We have covered the foundational elements of Azure networking that allow your services to communicate securely. By mastering these concepts, you shift from simply "deploying resources" to "architecting systems."
Key Takeaways:
- VNet Peering is for Network Connectivity: Use it to connect VNets across regions or within the same region to allow private communication between virtual machines.
- Service Endpoints are for Service Security: Use them to ensure that traffic between your VNet and PaaS services stays on the Microsoft backbone and is restricted to your virtual network.
- Avoid Overlap: Always plan your IP address ranges (CIDR blocks) before deployment to prevent the inability to peer networks later.
- Hub-and-Spoke is King: Avoid full-mesh peering; centralize shared network services in a Hub VNet to reduce complexity and management overhead.
- Private Link is the Future: While Service Endpoints are useful, consider Private Link for higher security requirements, as it provides a true private IP for your PaaS resources.
- Use Service Tags: Simplify your security rules by using built-in Azure Service Tags instead of hardcoding IP addresses for Azure services.
- DNS is the Silent Partner: Networking is useless if your services cannot find each other. Always integrate your networking strategy with Azure Private DNS Zones.
By implementing these strategies, you ensure that your cloud infrastructure is not only functional but also secure, performant, and ready for the scale that enterprise applications demand. Networking in Azure is a deep topic, but by focusing on these core pillars, you have the knowledge necessary to handle almost any connectivity challenge you will face in your career.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons