Service Endpoints

🎯 Lab Objectives

In this hands-on lab, you will learn how to:

Understand Azure Service Endpoints and their security benefits
Enable service endpoints for Azure Storage on virtual network subnets
Configure storage account network rules to restrict access via service endpoints
Test connectivity scenarios with and without service endpoints
Implement network-level security for Azure PaaS services
Compare access patterns between different subnets and configurations

Goal: Secure Azure Storage access by implementing service endpoints and network access rules to control traffic flow from specific subnets.

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	`ServiceEndpoint-Lab-RG`	Contains all lab resources	Logical container
Virtual Network	`ServiceEndpointLab-VNet`	Address space: 10.0.0.0/16	Network foundation
App Subnet	`AppSubnet`	Range: 10.0.1.0/24	Application tier
DB Subnet	`DBSubnet`	Range: 10.0.2.0/24	Database tier
App VM	`AppVM`	Windows Server 2019	Application server
DB VM	`DBVM`	Ubuntu 20.04 LTS	Database server
Storage Account	`labstorage[unique]`	General Purpose v2	Data storage

Network Architecture

ServiceEndpointLab-VNet (10.0.0.0/16)
├── AppSubnet (10.0.1.0/24)
│   └── AppVM (Windows Server)
│       └── Service Endpoint (to be configured)
└── DBSubnet (10.0.2.0/24)
    └── DBVM (Ubuntu Linux)
        └── Service Endpoint (optional)

Internet
└── Storage Account (labstorage[unique])
    └── Network Rules (to be configured)

VM Details

VM	Operating System	Private IP	Purpose
AppVM	Windows Server 2019	10.0.1.4	Test service endpoint access
DBVM	Ubuntu 20.04 LTS	10.0.2.4	Compare subnet access patterns

🚀 Lab Exercises

Part 1: Baseline Connectivity Test

Step 1: Connect to Application VM

Navigate to ServiceEndpoint-Lab-RG resource group
Click on AppVM
Click Connect → RDP
Use credentials:
- Username: azureuser
- Password: LabPassword123!

Step 2: Get Storage Account Details

In your resource group, click on the Storage Account (labstorage[unique])
In the left menu, click Endpoints
Copy the Blob service endpoint URL: https://labstorage[unique].blob.core.windows.net/
Note this URL for testing

Step 3: Test Initial Storage Access from AppVM

From AppVM, open PowerShell and run:

# Test storage account accessibility
$storageUrl = "https://labstorage[unique].blob.core.windows.net/"
Invoke-WebRequest -Uri $storageUrl -Method HEAD

# Alternative test with curl (if available)
curl -I $storageUrl

# Test from browser
Start-Process "https://labstorage[unique].blob.core.windows.net/"

Expected Result: ✅ Access should succeed (HTTP 200 or similar)

Step 4: Test Access from DBVM

Navigate to DBVM
Click Connect → SSH
Use Azure Cloud Shell or SSH client:

ssh azureuser@[DBVM-Public-IP]
# Password: LabPassword123!

Test storage access:

# Test storage account accessibility
curl -I https://labstorage[unique].blob.core.windows.net/

# Test with verbose output
curl -v https://labstorage[unique].blob.core.windows.net/

Expected Result: ✅ Access should succeed initially

📝 Baseline: Both VMs can currently access the storage account over the public internet.

Part 2: Configure Storage Account Network Restrictions

Step 1: Navigate to Storage Networking Settings

Go to your Storage Account in the portal
In the left menu, click Networking
Click on Firewalls and virtual networks tab

Step 2: Configure Network Access Rules

Change access setting:
- Select “Enabled from selected virtual networks and IP addresses”
- This will deny public access by default
Add virtual network:
- Click + Add existing virtual network
- Configure the rule:

Setting	Value	Purpose
Subscription	Your subscription	Target subscription
Virtual networks	`ServiceEndpointLab-VNet`	Lab VNet
Subnets	`AppSubnet`	Allow AppSubnet only

Click Add
Save the configuration

⏱️ Wait Time: Changes can take 2-5 minutes to take effect.

Part 3: Test Restricted Access

Step 1: Test from AppVM (Should Fail)

Return to AppVM PowerShell session:

# Test storage access after network restriction
$storageUrl = "https://labstorage[unique].blob.core.windows.net/"
try {
    Invoke-WebRequest -Uri $storageUrl -Method HEAD -TimeoutSec 10
    Write-Host "✅ Access successful"
} catch {
    Write-Host "❌ Access blocked: $($_.Exception.Message)"
}

Expected Result: ❌ Access should fail (403 Forbidden or timeout)

Step 2: Test from DBVM (Should Also Fail)

From DBVM SSH session:

# Test storage access after restriction
echo "Testing storage access..."
curl -I --connect-timeout 10 https://labstorage[unique].blob.core.windows.net/

# Check specific error
curl -v --connect-timeout 10 https://labstorage[unique].blob.core.windows.net/

Expected Result: ❌ Access should fail for both VMs

🔍 What Happened: The storage account now blocks all traffic except from selected virtual networks, but service endpoints are not yet enabled.

Part 4: Enable Service Endpoint for AppSubnet

Step 1: Navigate to Virtual Network

Go to ServiceEndpointLab-VNet
In the left menu, click Subnets
Click on AppSubnet

Step 2: Configure Service Endpoint

In the AppSubnet configuration:
Scroll down to Service endpoints
Click + Add service endpoint

Step 3: Add Microsoft.Storage Endpoint

Configure the service endpoint:

Setting	Value	Purpose
Service	Microsoft.Storage	Azure Storage service
Policy	None (leave empty)	No additional policies

Click Save

⏱️ Configuration Time: Service endpoint enablement takes 1-2 minutes.

Part 5: Test Service Endpoint Functionality

Step 1: Test from AppVM (Should Succeed)

Return to AppVM and test again:

# Wait a moment for service endpoint to activate
Start-Sleep -Seconds 60

# Test storage access with service endpoint
$storageUrl = "https://labstorage[unique].blob.core.windows.net/"
try {
    $response = Invoke-WebRequest -Uri $storageUrl -Method HEAD -TimeoutSec 15
    Write-Host "✅ AppVM Access successful - Status: $($response.StatusCode)"
    Write-Host "🔗 Service endpoint is working!"
} catch {
    Write-Host "❌ AppVM Access failed: $($_.Exception.Message)"
}

# Test with additional diagnostics
nslookup labstorage[unique].blob.core.windows.net

Expected Result: ✅ Access should succeed via service endpoint

Step 2: Test from DBVM (Should Still Fail)

From DBVM SSH session:

# Test from subnet WITHOUT service endpoint
echo "Testing from DBSubnet (no service endpoint)..."
curl -I --connect-timeout 15 https://labstorage[unique].blob.core.windows.net/

# Check DNS resolution
nslookup labstorage[unique].blob.core.windows.net

Expected Result: ❌ Access should still fail (no service endpoint on DBSubnet)

Step 3: Verify Service Endpoint Status

Go to ServiceEndpointLab-VNet → Subnets
Verify AppSubnet shows Microsoft.Storage in service endpoints
Verify DBSubnet shows None for service endpoints

Part 6: Enable Service Endpoint for DBSubnet

Step 1: Configure DBSubnet Service Endpoint

Navigate to ServiceEndpointLab-VNet → Subnets
Click on DBSubnet
Add service endpoint:

Setting	Value
Service	Microsoft.Storage

Click Save

Step 2: Update Storage Account Network Rules

Go to Storage Account → Networking
Under Virtual networks, click + Add existing virtual network
Add DBSubnet:

Setting	Value
Virtual networks	`ServiceEndpointLab-VNet`
Subnets	`DBSubnet`

Click Add and Save

Step 3: Test from DBSubnet

Wait 1-2 minutes, then test from DBVM:

# Test access after enabling service endpoint
echo "Testing DBSubnet with service endpoint enabled..."
curl -I --connect-timeout 15 https://labstorage[unique].blob.core.windows.net/

# Verify successful access
if [ $? -eq 0 ]; then
    echo "✅ DBSubnet access successful via service endpoint"
else
    echo "❌ DBSubnet access still blocked"
fi

Expected Result: ✅ Access should now succeed from both subnets

Part 7: Advanced Testing and Verification

Step 1: Test Route Analysis

From AppVM, check network routing:

# Check route to storage account
$storageIP = (Resolve-DnsName labstorage[unique].blob.core.windows.net).IPAddress
Write-Host "Storage IP: $storageIP"

# Check routing table
route print -4

# Test tracert to storage
tracert $storageIP

Step 2: Monitor Service Endpoint Metrics

Navigate to ServiceEndpointLab-VNet
Click Metrics (if available)
Look for service endpoint specific metrics

Step 3: Test from Internet (Should Fail)

From your local machine, test public access:

# This should fail due to network restrictions
curl -I https://labstorage[unique].blob.core.windows.net/

Expected Result: ❌ Public internet access should be blocked

🔧 Troubleshooting Guide

Common Issues and Solutions

Issue	Possible Cause	Solution
Service endpoint not working	Configuration not propagated	Wait 2-5 minutes and retry
Access still blocked	Subnet not added to storage rules	Verify storage account virtual network rules
Intermittent failures	DNS caching	Clear DNS cache or wait
Both subnets blocked	Storage firewall not configured	Check “Selected networks” is enabled

Verification Checklist

Component	Expected State	Verification
AppSubnet	Service endpoint enabled	VNet → Subnets → AppSubnet
Storage Account	Network restrictions active	Storage → Networking
VNet Rules	Subnets added to allow list	Storage → Networking → Virtual networks
Access Pattern	VNet access only	Test from inside/outside VNet

🧪 Additional Experiments

Try these optional exercises to deepen your understanding:

Multiple Service Types: Enable service endpoints for SQL Database
Service Endpoint Policies: Implement granular service endpoint policies
Private Endpoints: Compare service endpoints vs private endpoints
Cross-VNet Access: Test service endpoints across peered VNets
Monitoring: Set up alerts for service endpoint usage

🎓 Key Takeaways

After completing this lab, you should understand:

Service Endpoints provide secure access to Azure PaaS services from VNets
Network traffic stays on the Azure backbone (no internet transit)
Subnet-level configuration determines service endpoint availability
Storage account network rules work in conjunction with service endpoints
Defense in depth combines network and service-level security
Service endpoints are free and provide better performance than internet routing