Service endpoints allow us to connect certain platform services into our virtual networks. This means that our Azure virtual machines can interact with Azure SQL and Azure Storage accounts as if they’re part of the same virtual network, rather than our Azure virtual machines accessing them over the public endpoint.
The problem lies with service endpoints is that, this opens Egress traffic to the PaaS services from your VNET. For e.g. once a service endpoint is created for Azure.Storage, the resources now can have access to all storage accounts in the region. Service endpoint policies can restrict this access and only allow outgoing traffic to specific storage accounts from the VNET.
Service endpoint policies allows you to configure:
Prevent unauthorized access to storage accounts
Restrict vnet access to specific azure storage accounts
Granular access control over service endpoints
References:
Comments