Configure Service Endpoints Demo
Start course

This course will focus on how to create and configure Azure service endpoints so that PaaS services can be made available from within your virtual network. The course will also discuss service tags, their association with service endpoints, and how to use them within the scope of your Network Security Groups and Azure Firewalls to allow/deny traffic to Azure PaaS services. The course will help to put all of this information into perspective.

Learning Objectives 

  • Create service endpoints
  • Configure service endpoint policies
  • Configure service tags
  • Configure access to service endpoints

Intended Audience

  • Azure Network Engineers who will be recommending networking solutions and managing them for performance, resiliency, scale, and security
  • Azure Network Engineers who will be working with solution architects, cloud administrators, security engineers, and application developers to deliver Azure solutions


  • Subject matter expertise in planning, implementing, and maintaining Azure networking solutions, including hybrid networking, connectivity, routing, security, and private access to Azure services
  • Azure administration skills
  • Experience and knowledge of networking, hybrid connections, and network security

Hi there. Let's take what we just learned about service endpoints and actually apply it inside the Azure Portal by configuring an existing virtual network to support service endpoints. Here we are in a virtual network that I created called vnet-serviceendpoints. And I'm currently in the subnets area of this virtual network. You'll notice it already has an existing subnet called defaultSubnet. Anytime you create a new virtual network, you're going to be required to add a existing subnet. So, what I'm going to do is I'm going to add a second subnet and we're going to configure it to support service endpoints. We're going to click on the 'Add Subnet' button, that of course brings up then the add subnet blade. 

I'm going to just call this subnetEndpoints. I'll go ahead and leave the address range alone, that's perfectly fine. The next few items are going to be specific to subnet networking, so we're not going to focus on them; the NAT gateway, the Network security group, and the Route table. Now, as I talked about with respect to the features, you no longer will need a NAT gateway to support service endpoint access or past service access. You may still want to add in network security groups, that's going to be up to you. And as I talked about, if you already have route tables in place where you want to force traffic to another device before going to the past service, you absolutely can do so. 

But the key area is down here under the service endpoints heading. And what we're going to do is specify a specific set of services that are allowed to be accessed directly over the Azure backbone from any VMs, Azure kubernetes, app services that might have been deployed into this subnet in the future. As soon as we click on the list, it's going to open up and give us access to all of the existing services that are supported and these tied back to that list that I showed you a little while ago. 

Now, I'm going to choose 'keyVault' and I'm going to choose 'Storage'. That's all that I have to do. I don't need to do anything more. Now, anytime I try and access a keyVault service or a storage service from a VM inside of this subnet, that traffic will stay on the Azure backbone within the Azure region if both are in the same region, and so on. That's all that I need to do, nothing more. Now, there is one additional item here called endpoint policies. We do not have any of those currently. That is a separate topic for the next video. We'll talk about that then. And I'll then come back and show you how to apply endpoint policies to this same subnet once we're done. Now, one thing to keep in mind here, for all of these service types, this just allows the traffic to stay inside of Azure. 

This does not affect permissioning or access to any specific instance of keyVault or storage. Almost every one of these services listed here have their own additional security controls, and you will still need to meet those before traffic will flow into the service. An example, Microsoft storage has an additional set of lifecycle policies that can be applied to individual containers or the storage account as a whole. You will still need to be allowed through that gate before you can actually retrieve data from that storage account. This only applies to the routing of the traffic to the services listed here. This is all that's needed for service endpoints. 

The same thing is true for an existing subnet. So, let me go ahead and save this. Now that the subnet has been added, let's take a look at our existing subnet and see that the way to add additional services to this subnet is exactly the same. We're going to click on 'CosmosDB', I'll click on 'EventHub', and just that simple. I now have two additional services that are added to this existing subnet. The exact same process is valid. Click 'Save' and we're done. Now, we go back and check out subnet endpoints that we just created, and you'll see, I now have keyVault and Storage added here as successful service endpoints. That's all there is to it. 

In the next video, we'll take a look at the service endpoint policies and how to create them, what they're going to be used for, and then of course, how to apply them to your subnet.


About the Author

Brian has been working in the Cloud space for more than a decade as both a Cloud Architect and Cloud Engineer. He has experience building Application Development, Infrastructure, and AI-based architectures using many different OSS and Non-OSS based technologies. In addition to his work at Cloud Academy, he is always trying to educate customers about how to get started in the cloud with his many blogs and videos. He is currently working as a Lead Azure Engineer in the Public Sector space.