By default all resources in Azure get a public ip address and can be accessed over the public network. Service endpoint and private link are ways to restrict this access and disable access to these resources from the public network.
Lets start with service endpoint , when you create a service endpoint for a resource , you select a subnet and the routing table is update to route the traffic over the microsoft backbone .
Essentially Service endpoints direct VNet traffic off the public Internet and to the Azure backbone network. You enable service endpoints for each Azure service on a subnet in a virtual network. Service endpoint are associated with the subnets and the corresponding Azure services are added to the service endpoint
so the key things to remember for service endpoints are
- Resource maintains a public ip address
- ip resolves by Microsoft DNS
- This endpoint is not available from private , on-premises network
- Service endpoints work with any compute resource instance running within the enabled subnet.
- You can enable multiple service endpoints on a subnet.
- You can limit access to specific regions of a service endpoint-enabled service with service tags.
- Does not require custom DNS changes like private endpoints.
service endpoints apply to all instances of the Azure resource, not just the ones you create. If you want to limit virtual network traffic to specific instances or regions of a resource, you need a service endpoint policy. Service endpoint policies enable outbound virtual network traffic filtering to service endpoint-enabled resources.
Service endpoint policies are a separate resource, and you assign policies at the subnet level. The policy contains definitions that specify an existing Azure resource.
A privatelink essentially is creating a separate virtual nic inside of your subnet for a specific service . you will need to create a separate privatelink for each service . The azure service will get a private ip and all of the other resources that are spun inside of the vnet can access these resources that have the ip
- Key things about Private endpoint
Blocks public access with the firewall
internal DNS resolves to private IP
nsg or network security groups are not applied to the private endpoint - Microsoft recommends using Azure Private Link. Private Link offers better capabilities in terms of privately accessing PaaS from on-premises, in built data-exfiltration protection and mapping service to Private IP in your own network
see comparison here