Thumbnail image

Service vs Private Endpoints What to Choose?

  • 18/4/2022
  • 3-minute read

Azure offer plenty of services and they can be integrated to our applications in many ways but what options are the best and when to choose what?

Problem?

We want to integrate various Azure services with our application and we need to choose right connectivity option.

In Azure cloud we have several options:

  1. Public endpoints
  2. Service endpoints
  3. Private Link

Solution

Let’s go briefly thru each of option which we have and explain they pros and cons.

Public endpoints

The most simple approach is to use public endpoints exposed by those services and don’t bother security and more complex configuration.

Pros of this solution:

  • simplicity
  • time to market
  • easy to setup redundancy for used services

Cons of this solution:

  • our data can be exposed at security risk
  • someone can use our service 🤔

When to choose this scenario?

When we are creating MVP type of application or we don’t use any critical company data.

Service endpoints

More advance scenario is to use service endpoints which allow communication only from specific VNET and subnet. In this scenario as example let’s take App Service communicating with Azure SQL.

In scenario with public endpoint web application use public IP address of database but when we use Service endpoints the same application begin using private IP address from our VNET. Azure SQL still expose IP address for communication however we can filter communication on firewall to only specific subnet in our VNET.

Pros of this solution:

  • simplicity
  • more control over traffic
  • no need to setup DNS
  • easy to setup redundancy for used services

Cons of this solution:

  • used services requires tier which allow usage of VNET
  • only single region can be used in this type of connection

When to choose this scenario?

When we want connect our on-premises application or we use some confidential data in our application. We want to have control who have access to our data.

Most advance and secure option for network connectivity. Under the hood connection is configured to use private IP address of service and Private Link Services creates for us private NIC in our VNET.

Pros of this solution:

  • security
  • control over traffic
  • data is transferred using Microsoft backbone network
  • services can be exposed in another region

Cons of this solution:

  • Used services requires tier which allow usage of VNET
  • DNS is recommended/required for private NIC
  • Complex configuration is required when we want use redundancy

When to choose this scenario?

We don‘t want expose data to public internet using public endpoints or we want have monitoring over in and out communication. Our data is critical for our organization and should’ve consumed in secure way by application.

Summary

To summarize in Azure we have many available options to integrate our application we services. In my opinion most typical and common scenario is to use public endpoints for connection. This scenario will be the best and simple option for most of applications if we need more control we should focus on service endpoints. Private Link will be best choice for enterprise when they want meet security requirements or integrate applications from on-premises environment.

Photo by Gavin Allanwood on Unsplash

how-toPrivate LinkService EndpointsVNET