Azure virtual network service endpoints (2023)

  • Article
  • 11 minutes to read

The virtual network (VNet) service endpoint provides a secure and direct connection to Azure services via an optimized route over the Azure backbone network. With endpoints, you can secure your critical Azure service resources only in your virtual networks. Service endpoints allow private IP addresses in the VNet to reach the endpoint of an Azure service without requiring a public IP address in the VNet.


Microsoft recommends using Azure Private Link for secure and private access to services hosted on the Azure platform. For more information, seeAzure Private Link.

Service endpoints are available for the following Azure services and regions. theMicrosoft.*Resource is in brackets. Enable this resource from the subnet page while configuring service endpoints for your service:

Generally available

(Video) Azure Virtual Network Service Endpoints - explained in plain English with a story and demo

  • Azure storage(Microsoft.Storage): Generally available in all Azure regions.
  • Azure SQL-Datenbank(Microsoft.Sql): Generally available in all Azure regions.
  • Azure Synapse Analytics(Microsoft.Sql): Generally available in all Azure regions for dedicated SQL pools (formerly SQL DW).
  • Azure Database for PostgreSQL-Server(Microsoft.Sql): Generally available in Azure regions where the database service is available.
  • Azure database for MySQL server(Microsoft.Sql): Generally available in Azure regions where the database service is available.
  • Azure Database for MariaDB(Microsoft.Sql): Generally available in Azure regions where the database service is available.
  • Azure Cosmos DB(Microsoft.AzureCosmosDB): Generally available in all Azure regions.
  • Azure Key Vault(Microsoft.KeyVault): Generally available in all Azure regions.
  • Azure-Servicebus(Microsoft.ServiceBus): Generally available in all Azure regions.
  • Azure Event Hubs(Microsoft.EventHub): Generally available in all Azure regions.
  • Azure Data Lake Store Gen 1(Microsoft.AzureActiveDirectory): Generally available in all Azure regions where ADLS Gen1 is available.
  • Azure-App-Service(Microsoft.Web): Generally available in all Azure regions where App Service is available.
  • Azure Cognitive Services(Microsoft.CognitiveServices): Generally available in all Azure regions where Cognitive Services are available.

Public Preview

  • Azure Container Registry(Microsoft.ContainerRegistry): Preview available in restricted Azure regions where Azure Container Registry is available.

For the latest notifications, go toAzure Virtual Network-UpdatesPage.

Main Benefits

Service endpoints provide the following benefits:

  • Improved security for your Azure service resources: Private VNet address spaces can overlap. You cannot use overlapping spaces to uniquely identify traffic originating from your VNet. Service endpoints enable securing Azure service resources in your virtual network by extending VNet identity to the service. After you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources in your virtual network. The added rule provides improved security by completely removing public internet access to resources and allowing traffic only from your virtual network.

  • Optimal routing for Azure service traffic from your virtual network: Today, any routes in your virtual network that force internet traffic to your on-premises and/or virtual appliances also force Azure service traffic to take the same route as internet traffic. Service endpoints provide optimal routing for Azure traffic.

    Endpoints always route service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. Keeping traffic in the Azure backbone network allows you to further inspect and monitor outbound internet traffic from your virtual networks through forced tunneling without impacting service traffic. For more information on custom routes and forced tunneling, seeTraffic routing for Azure virtual networks.

  • Easy setup with less administration: You no longer need reserved, public IP addresses in your virtual networks to protect Azure resources with an IP firewall. No Network Address Translation (NAT) or gateway devices are required to set up the service endpoints. You can configure service endpoints with a single selection on a subnet. There is no additional overhead for managing the endpoints.


  • The feature is only available for virtual networks deployed through the Azure Resource Manager deployment model.
  • Endpoints are enabled on subnets configured in Azure virtual networks. Endpoints cannot be used for traffic from your site to Azure services. For more information, seeSecure access to Azure services on-premises
  • With Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network's region. For Azure Storage this is possibleEnable access to virtual networks in other regionsin the preview.
  • For Azure Data Lake Storage (ADLS) Gen 1, the VNet integration feature is only available for virtual networks within the same region. Also note that ADLS Gen1 virtual network integration uses virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate additional security claims in the access token. These claims are then used to authenticate and grant access to your virtual network with your Data Lake Storage Gen1 account. theMicrosoft.AzureActiveDirectoryThe tag listed under Services supporting service endpoints is only used to support ADLS Gen 1 service endpoints. Azure AD doesn't natively support service endpoints. For more information on Azure Data Lake Store Gen 1 VNet integration, seeNetwork security in Azure Data Lake Storage Gen1.

Secure Azure services in virtual networks

  • A virtual network service endpoint provides the identity of your virtual network to the Azure service. After you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources in your virtual network.

    (Video) How to create Service Endpoints for Virtual Networks in Azure

  • Today, traffic from Azure services from a virtual network uses public IP addresses as source IP addresses. For service endpoints, the service traffic switches to using private virtual network addresses as source IP addresses when accessing the Azure service over a virtual network. This switch allows you to access the services without requiring reserved, public IP addresses used in IP firewalls.


    For service endpoints, the source IP addresses of virtual machines on the subnet for service traffic switch from using public IPv4 addresses to using private IPv4 addresses. Existing firewall rules for Azure services that use Azure public IP addresses will no longer work with this switch. Ensure that the Azure service's firewall rules allow this transition before setting up service endpoints. Configuring service endpoints can also temporarily disrupt service traffic from that subnet.

Secure access to Azure services on-premises

By default, Azure service resources secured in virtual networks are not reachable from on-premises networks. If you want to allow on-premises traffic, you must also allow public IP addresses (usually NAT) from your on-premises or ExpressRoute. You can add these IP addresses through IP firewall configuration for Azure service resources.

ExpressRoute: If you useExpressRouteFor public peering or Microsoft peering from your location, you need to identify the NAT IP addresses you are using. By default, for public peering, each ExpressRoute circuit uses two NAT IP addresses that are applied to Azure service traffic as the traffic enters the Microsoft Azure network backbone. For Microsoft peering, the NAT IP addresses are either provided by the customer or provided by the service provider. To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting.Open a support ticket with ExpressRoutevia the Azure portal. For more information on NAT for ExpressRoute and Microsoft public peering, seeNAT requirements for ExpressRoute.

Azure virtual network service endpoints (1)


  • Configure service endpoints on a subnet in a virtual network. Endpoints work with any type of compute instance running within that subnet.
  • You can configure multiple service endpoints for any supported Azure service (such as Azure Storage or Azure SQL Database) in a subnet.
  • Azure SQL Database requires virtual networks to be in the same region as the Azure service resource. For Azure Storage this is possibleEnable access to virtual networks in other regionsin the preview. For all other services, you can back up Azure virtual network service resources in any region.
  • The virtual network in which the endpoint is configured can be in the same or a different subscription as the Azure service resource. For more information about permissions required to set up endpoints and secure Azure services, seedeployment.
  • For supported services, you can use service endpoints to secure new or existing virtual network resources.


  • After enabling a service endpoint, the source IP addresses switch from using public IPv4 addresses to using their private IPv4 address when communicating with the service from that subnet. Any existing open TCP connections to the service will be closed during this switch. Ensure that no critical tasks are running when you enable or disable a service endpoint for a service on a subnet. Also ensure that your applications can automatically connect to Azure services after the IP address change.

    (Video) Azure Virtual Network and PaaS Network Controls

    The IP address change only affects service traffic from your virtual network. There is no impact on other traffic destined to or from the public IPv4 addresses assigned to your virtual machines. If you have existing firewall rules for Azure services that use Azure public IP addresses, those rules will no longer work when you switch to private virtual network addresses.

  • With service endpoints, DNS records for Azure services remain unchanged and continue to resolve to public IP addresses assigned to the Azure service.

  • Network Security Groups (NSGs) with service endpoints:

    • By default, NSGs allow outbound internet traffic and also allow traffic from your VNet to Azure services. This traffic works unmodified with service endpoints.
    • If you want to deny all outbound internet traffic and only allow traffic to specific Azure services, you can do that withService-Tagsin your NSGs. You can target supported Azure services in your NSG rules, and Azure also provides IP address management underlying each tag. For more information, seeAzure service tags for NSGs.


  • Peered, connected, or multiple virtual networks: To secure Azure services for multiple subnets within a virtual network or across multiple virtual networks, you can enable service endpoints in each of the subnets independently and secure Azure service resources for all subnets.
  • Filter outbound traffic from a virtual network to Azure services: If you want to inspect or filter traffic sent from a virtual network to an Azure service, you can deploy a network virtual appliance inside the virtual network. You can then apply service endpoints to the subnet where the virtual network device is deployed and secure Azure service resources only for that subnet. This scenario can be useful if you want to use virtual network device filtering to restrict Azure service access from your virtual network to only specific Azure resources. For more information, seeOutput with virtual network devices.
  • Securing Azure resources for services deployed directly into virtual networks: You can deploy different Azure services directly to specific subnets in a virtual network. You can back up Azure service resources formanaged serviceSubnets by setting up a service endpoint on the managed service's subnet.
  • Disk traffic from an Azure virtual machine: Virtual machine disk traffic for managed and unmanaged disks is not affected by service endpoint routing changes for Azure Storage. This traffic includes DiskIO and mounts and unmounts. You can restrict REST access to page blobs to select networks through service endpoints andAzure storage network rules.

Logging and Troubleshooting

After configuring service endpoints for a specific service, verify that the service endpoint route is in effect by:

  • Validation of the source IP address of each service request in the service diagnosis. All new requests with service endpoints show the source IP address for the request as the private virtual network IP address assigned to the client making the request from your virtual network. Without the endpoint, the address is an Azure public IP address.
  • View the effective routes on each network interface in a subnet. The way to service:
    • Displays a more specific default route to address each service's prefix ranges
    • Has a nextHopType ofVirtualNetworkServiceEndpoint
    • Indicates a more direct connection to the service compared to forced tunneling routes


Service endpoint routes override any BGP or UDR routes for an Azure service's address prefix match. For more information, seeTroubleshooting with effective routes.


Service endpoints can be configured independently from a user with write access to a virtual network in virtual networks. To back up Azure service resources in a VNet, the user must have the appropriate permissionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionfor the added subnets. The built-in service administrator roles include this permission by default. You can change permission by creating custom roles.

(Video) Azure Virtual Network SERVICE Endpoints PRIVATE LINKS Overview

For more information about built-in roles, seeBuilt-in Azure roles. For more information about assigning specific permissions to custom roles, seeAzure custom roles.

Virtual networks and Azure service resources can be in the same or different subscriptions. Certain Azure services (not all), such as Azure Storage and Azure Key Vault, also support service endpoints across different Active Directory (AD) tenants. This means that the virtual network and the Azure service resource can be in different Active Directory (AD) tenants. For more information, see the relevant service documentation.

Prices and Limits

There are no additional charges for using service endpoints. The current pricing model for Azure services (Azure Storage, Azure SQL Database, etc.) remains unchanged.

The total number of service endpoints in a virtual network is unlimited.

Certain Azure services, such as Accounts, such as Azure storage accounts, can enforce limits on the number of subnets used to secure the resource. For information about various services, see the documentation in theNext Stepssection for details.

VNet service endpoint policies

Endpoint policies for VNet services enable you to filter virtual network traffic to Azure services. This filter allows only specific Azure service resources through service endpoints. Service endpoint policies provide granular access control for virtual network traffic to Azure services. For more information, seeVirtual network service endpoint policies.

frequently asked Questions

For frequently asked questions seeFrequently asked questions about the virtual network service endpoint.

Next Steps

  • Configure virtual network service endpoints
  • Back up an Azure Storage account in a virtual network
  • Back up an Azure SQL Database in a virtual network
  • Secure Azure Synapse Analytics in a virtual network
  • Compare private endpoints and service endpoints
  • Virtual network service endpoint policies
  • Azure Resource Manager template


What is the limit on the total number of VNet service endpoints in a virtual network? ›

There's no limit on the total number of service endpoints in a virtual network.

How many VNets can be peered? ›

Comparison of virtual network peering and VPN Gateway

Up to 500 virtual network peerings per virtual network (see Networking limits). One VPN gateway per virtual network. The maximum number of tunnels per gateway depends on the gateway SKU. Software-level encryption is recommended.

Will you be able to successfully ping the two virtual machines on the virtual network? ›

If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings. (ping request or create an exception by just enabling ping (ICMP).

What is the minimum number of Azure virtual networks that must be included in the design? ›

It is recommended that two or more VMs are created within an availability set to provide for a highly available application and to meet the 99.95% Azure SLA.

What is the maximum number of VMs that can be added to a scale set? ›

Scale sets support up to 1,000 VM instances for standard marketplace images and custom images through the Azure Compute Gallery (formerly known as Shared Image Gallery). If you create a scale set using a managed image, the limit is 600 VM instances.

What is used to limit network connections to Azure virtual machines or subnets? ›

VNET peering can connect two VNETs within the same region or two VNETs across Azure regions. NSGs can be used to limit connectivity between different subnets or systems.

Can a VNet have multiple gateways? ›

I can also only have one Network Gateway defined within a VNET, where you can have only one Gateway Subnet so this prevents using VNET-to-VNET connectivity between the different VNETs in the end.

What is the difference between VNet VNet and VNet peering? ›

There are two types of VNet Peering and those are: Global Virtual Network Pairing: Global VNet to VNet peering is when you connect different virtual networks (VNet) across Azure regions. Virtual network peering: Connects virtual networks within the same Azure zone.

Can I peer two VNets with matching or overlapping address ranges? ›

Can I peer two VNets with matching or overlapping address ranges? No. Address spaces must not overlap to enable VNet Peering.

Can I deploy two VPN gateways in same virtual network? ›

A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a VPN gateway.

How many IP addresses can a VM have? ›

A VM has one primary IP address per network adapter.

How do you control the traffic flowing between two subnets on the same virtual network? ›

As two subnets in one virtual network are "routed by default" the only way I can think of is creating 2 virtual networks with one subnet in each virtual network. This way you should be able to work with routes. If you just want to block communication maybe a Network Security Group (NSG) is an option as well.

How many Vnets are there in Azure subscription? ›

You can have up to: 50 VNET and 1000 subscription subnets.

What is the minimum number of VMs required for an availability set? ›

An availability set for Azure logically groups a minimum of two or more VMs. If you place your VMs within an availability set, Azure will make sure to distribute them automatically across separate update and fault domains.

Can an Azure subscription have multiple Vnets? ›

Peering. When using virtual network peering, the virtual networks can be in the same, or different, supported Azure regions. The virtual networks can be in the same or different Azure subscriptions (even subscriptions belonging to different Azure Active Directory tenants).

How many VMs per host is too many? ›

More than three VMs per core causes scheduling overhead, among other issues. This doesn't mean paltry consolidation numbers, however. A high-end server using a 15-core Intel Xeon E7 processor yields 60 available cores. Ideally, it could host 180 VMs.

How many VMs Can you run on one host? ›

Those boxes are pretty beefy and should be able to run at least sixty to one hundred virtual machines each without any issues. Your mileage may vary but let's just say that you can get one hundred virtual machines per host.

How many VMs Can you run per core? ›

The maximum number of virtual processor sockets assigned to a VM is 128. If you want to assign more than 128 virtual processors, configure a VM to use multicore processors. The maximum number of processor cores that can be assigned to a single VM is 768 in vSphere 7.0 Update 1.

Can two Vnets have the same address space? ›

Yes, you can have two Virtual Networks with the same address space under the same subscription. But the address space of the First virtual network(10.0. 0.0/ 16) will overlaps with the address space of the second virtual network(10.0. 0.0/ 16), Virtual Networks with overlapping address space cannot be peered.

Can subnets in a VNet communicate? ›

A subnet is a range of IP addresses in the VNet. You can divide a VNet into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one VNet. NICs connected to subnets (same or different) within a VNet can communicate with each other without any extra configuration.

What is difference between VNet and subnet in Azure? ›

VNet concepts

For example, if you deploy a VM in a VNet with address space, 10.0. 0.0/16, the VM will be assigned a private IP like 10.0. 0.4. Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet.

What are the three types of gateways? ›

There are two main types of gateways: unidirectional gateways and bidirectional gateways.

How do I connect two Vnets in Azure? ›

Azure vNet-to-vNet Connections
  1. Create a Gateway Subnet. To create a gateway subnet for the CA and the RA/VA hosts, do the following:
  2. Create Virtual Network Gateway. ...
  3. Create and Configure vNet for the Other Side. ...
  4. Configure Gateway Connection. ...
  5. Configure RA/VA to CA Gateway Connection. ...
  6. Verify Connections.

Can we use global vNet peering with load balancer? ›

"Global VNet Peering now supports Standard Load Balancer. Previously, resources in one virtual network could not communicate with the front-end IP address of an internal load balancer over a globally peered connection. The virtual networks needed to be in the same region.

Why do we need vNet peering? ›

The benefits of using virtual network peering, whether local or global, include: A low-latency, high-bandwidth connection between resources in different virtual networks. The ability for resources in one virtual network to communicate with resources in a different virtual network.

Can you establish VNET peering between virtual networks in different regions? ›

You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as global virtual network peering).

Can instances in same VPC communicate with each other? ›

Subnets in the same VPC can communicate with each other, but subnets in different VPCs cannot communicate with each other by default. However, you can create VPC peering connections to enable subnets in different VPCs to communicate with each other.

What happens if you run 2 VPNs at the same time? ›

It can be more challenging to run multiple simultaneous VPNs than to configure two VPN providers and connect them. While one VPN may appear to be performing properly, the second may display routing errors. This problem is because the two VPNs compete until one VPN wins, which results in only one running VPN.

Can a VM have 2 different IPS? ›

An Azure Virtual Machine (VM) has one or more network interfaces (NIC) attached to it. Any NIC can have one or more static or dynamic public and private IP addresses assigned to it.

Can a VPC have multiple Vgw? ›

You can only have one VGW per VPC, but you can have multiple VPN connections to the VGW/VPC.

How many virtual ports can be used for each virtual machine? ›

The ports on a virtual switch provide logical connection points among virtual devices and between virtual and physical devices. You can think of them as virtual RJ- connectors. Each virtual switch can have up to 1,016 virtual ports, with a limit of ,096 ports on all virtual switches on a host.

Is it possible to have multiple IP addresses on a nic in Azure? ›

The feature of multiple IP addresses per network interface in Azure is generally available. Virtual machines in Azure can have multiple network interfaces, each with one or more IP addresses associated with them. These IP addresses can be public or private.

Is there a limit to IP addresses? ›

IP addressing

Internet Protocol version 4 provides 232 (4,294,967,296) addresses. However, large blocks of IPv4 addresses are reserved for special uses and are unavailable for public allocation.

What is the maximum limit of resource groups you can you have per subscription in Azure resource manager? ›

A non-admin user can create a maximum of 250 groups in an Azure AD organization. Any Azure AD admin who can manage groups in the organization can also create an unlimited number of groups (up to the Azure AD object limit).

What is the maximum number of virtual network rules and IP network rules allowed per storage account Azure? ›

Each storage account supports up to 200 virtual network rules, which may be combined with IP network rules.

What is the maximum number of virtual machines that can be added to a domain name in Azure? ›

Q: What is the maximum number of virtual machines I can have in an Azure Availability Set? A: The max is 50, which is the same number of virtual machines that can be in a single cloud service (see the Microsoft Azure Virtual Machine Limits page).

What is the maximum number of site to site VPN tunnels supported by Azure VPN gateways? ›

Each connection is counted against the maximum number of tunnels for your Azure VPN gateway, 10 for Basic and Standard SKUs, and 30 for HighPerformance SKU.

How do you get 99.99 Availability in Azure? ›

Azure VMs SLA

But, if two or more virtual machines are deployed in an Availability Set, the guaranteed connectivity rises to 99.95 percent for at least one instance. If VMs are deployed in two or more Availability Zones, guaranteed connectivity rises again to 99.99 percent.

How many VNets are in a resource group? ›

Maximum of 25 apps per business unit (subscription). One subscription per business unit, two VNets per group of apps. Balance between number of subscriptions and VNets. Apps must be isolated by using subnets and NSGs.

Can VNET have multiple resource groups? ›

A resource can only exist in a single Resource Group which means a single Virtual Network cannot be added to multiple Resource Groups but it does not need to be.

How many rules are allowed per NSG in Azure? ›

A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.

What is the maximum number of IPS can be assigned within a network? ›

Class A IP addresses range from to , with a default mask of (or /8 in CIDR). This means that Class A addressing can have a total of 128 (27) networks and 16,777,214 (224-2) usable addresses per network.


1. Cloud Certification AZ 104 - Day 4 (Africa)
2. Azure Service Endpoint and Private Endpoint Overview and Configuration
(Travis Roberts)
3. Virtual Network Service Endpoints
(Azure Power Lunch)
4. 12 - Azure in Telugu - Virtual Networks - Service Endpoints and Private Endpoints
(NextOps Videos)
5. Azure Virtual Networking - 11 Azure Service Endpoints
(sahil roy)
6. Azure Network Service Endpoints: How to Secure your Azure Storage Accounts
Top Articles
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated: 25/05/2023

Views: 5731

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.