- NSGs are focused on traffic into and out of the virtual network
- Many Azure PaaS offerings have their own firewall capabilities to lock down access
- It is often required to restrict a service to only specific subnets of specific virtual networks
- Service Endpoints make a specific subnet known to a specific Azure service and add optimal path to service
- The virtual firewall on the service can then be configured to allow only that specific subnet
- Service Endpoint Policies allow specific instances of services to be allowed from a virtual network which is not possible with NSG service tags
Benefits
- Improved security (point 3 above/restrict Internet access and allow access only from specific subnet)
- Optimal routing for services
- NVA force every internet going thing through the same route
- With Service Endpoint, Azure traffic goes through different route
- Direct traffic to MSFT
- Use Azure backbone network
- Low maintenance/easy config
references:
Subscribe to NordLetter
A weekly newsletter on living in Finland.