Introduction

As a DevOps engineer working extensively with Azure and Azure VNets, I've encountered numerous terms and buzzwords that can often lead to confusion. Among these are Azure Private Link, Azure Private Link Service, Private Endpoint, and Service Endpoint. I, too, found myself in a similar situation, where the documentation and online resources didn't provide clear explanations. To resolve this, I dedicated my time to thorough research and understanding. If you find yourself in the same boat, consider yourself fortunate to have stumbled upon the right place for comprehensive explanations and practical use cases. So, let's delve into each of these terms, demystify their meanings, and explore their respective applications.

Azure Private Link explanation

<ol>
 <li>Azure Private Link is managed service in Azure (Private Link Center) where you have various options and you can control your Azure Private Endpoints, Azure Private Services, and so on.
   <img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/653977d3c8de24acbcd9f056_privatelinkcenter.png" alt="private link center">
 </li>
 <li>Azure Private Link is a concept that enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure-hosted customer-owned/partner services in your virtual network. Traffic between your virtual network and the service travels through Microsoft's backbone network. You can imagine Azure Private Link as a tunnel between your virtual network and Azure resource.</li>
</ol>

You can find services that support Azure Private Link here https://learn.microsoft.com/en-us/azure/private-link/availability

Azure Private Link use case

The main use case of Azure Private Link is to create Azure Private Endpoints or Azure Private Service through GUI. Also, it can be used as a term when you want to refer to the connection between your private service (e.g. Azure Storage account) and your network.

Azure Private Endpoint explanation

In simple terms, you can tell that the Azure Private Endpoint is just a private endpoint or IP for your Azure PaaS Service within a virtual network.

To be more precise, a private endpoint is a network interface that uses a private IP address from your virtual network.

Azure Private Endpoint use case

So, when you want to deploy some Azure resource (e.g. Azure Storage, SQL Database) and you want to hide it from the internet and deploy it inside a private network, you will create an Azure Private Endpoint for it. You can access that resource if you have access to that private network.

Azure Private Link service explanation

The service you make available over a private network peering to other business units or customers. The service uses an internal Azure standard load balancer to map the Private Link Service IP to the load balancer front end. You can reference this service via a private endpoint to gain access to these resources without ever interacting with the Internet.

To simplify, you can tell that this is Azure Private Endpoint “add-on”, because it lets you access your privately deployed Azure resource without having access to the private network.

Azure Private Link service use case

You want to use Azure Private Link Service when you want to have a customer that has its own Virtual network and you want to give him access to your private deployed Azure resource.

Your customers can create a private endpoint inside their virtual network and map it to this service.

<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539794d6146b402c939a2aa_privatelinkserviceusecase.png" alt="private link service diagram">

Credit - Microsoft Docs

Azure Virtual Network Service Endpoints - explanation

Azure Virtual Network Service Endpoint was the first feature that Microsoft introduced to solve restricting access to Azure PaaS resources.

Virtual Network (VNet) Service Endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.

Service Endpoints work by enabling a subnet, or subnets, on your virtual network to support Service Endpoints. Once this is done, you can configure your Azure resource to only accept traffic from those subnets. There is no requirement to do any IP filtering or NAT translation; you tell the Azure resource which vNet and Subnet to allow traffic from. When Service Endpoints are enabled, the Azure resource sees traffic coming from your vNets private IP, not its public IP.

<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/65397a55e16c51261f95c0d7_vnetserviceendpoint.png" alt="vnet service endpoint">

Azure Virtual Network Service Endpoint - use case

After reading this, it can be confusing, what is the use case of the Service Endpoint in the first place, and what are the differences between the Service Endpoint and Azure Private Endpoint/Azure Private Link Service since they are implementing a solution to the same problem?

Service Endpoints are more straightforward and easier to set up than Azure Private endpoint/Azure Private Link Service. You can enable Service Endpoints with a couple of clicks in the portal, and there is no requirement for any additional services.

When you implement Azure Private Endpoint/Azure Private Link Service, you would probably want to set DNS within the private network. You can read about that here. That scales up complexity much more. Of course, you can go without deploying the DNS but you would probably want it if you have bigger architecture.

Other than complexity, Azure Private Endpoint/Azure Private Link Service is superior to Service Endpoints in nearly every other way. If you can set this up, and your service supports it, then I would recommend you use Azure Private Endpoint/Azure Private Link Service over Service Endpoints. In particular, with Azure Private Endpoint/Azure Private Link Service you can:

• Join your PaaS resource to your VNet and give it a private IP
• Ensure traffic stays within your virtual network
• Limit your egress to only your specific PaaS services and prevent data leakage
• Support access from on-premises and peered networks
• Connect to resources across regions and even Azure AD tenants

For most people, whose primary concern is around the security and restriction of access to their PaaS resources, Azure Private Endpoint/Azure Private Link Service is going to be the better choice. At this point, I would be surprised to see the list of resources that supports Service Endpoints increase beyond what is already available, with most PaaS resources looking to release an Azure Private Endpoint/Azure Private Link Service offering.

Useful links regarding this topic

• https://learn.microsoft.com/en-gb/azure/private-link/private-endpoint-overview
• https://stackoverflow.com/questions/73769449/azure-difference-between-service-endpoint-and-private-endpoint-in-simple-terms
• https://github.com/adstuart/azure-privatelink-multiregion
• https://global.hitachi-solutions.com/blog/azure-private-link/
• https://learn.microsoft.com/en-us/azure/private-link/availability
• https://github.com/dmauser/PrivateLink
• https://learn.microsoft.com/en-gb/azure/private-link/private-link-service-overview
• https://learn.microsoft.com/en-gb/azure/private-link/private-endpoint-overview
• https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
• https://learn.microsoft.com/en-us/azure/private-link/private-link-faq