- What a Service Endpoint is and how it works
- How to add Service Endpoints to a subnet

Service Endpoints extend your VNet identity to supported Azure services so you can apply service-level network restrictions (for example, firewall rules or resource-level access) scoped to one or more subnets.
What is a Service Endpoint?
A Service Endpoint is a virtual network-level feature that provides secure, direct connectivity from a subnet to specific Azure platform services over the Azure backbone network. When a Service Endpoint is enabled on a subnet, traffic between resources in that subnet and the Azure service stays on Microsoft’s network rather than traversing the public internet. Core characteristics:- Uses the Azure backbone for traffic between your VNet and supported Azure services.
- Lets you configure service-level firewall rules to allow traffic only from selected subnets.
- Is configured per-subnet and per-service type (for example,
Microsoft.Storage).
Why use Service Endpoints?
- Improved security: traffic does not leave the Microsoft network.
- Access control: restrict Azure service access to specific subnets or VNets.
- Simplicity: minimal changes to application code; works with existing public endpoints but enforces subnet-based access control.
- Lower latency and improved reliability compared to internet paths.
Service Endpoints do not assign private IPs to Azure services. If you need private connectivity with private IP addresses (for full network isolation), use Azure Private Endpoint instead.
Supported services (examples)
For a complete and up-to-date list of supported services, see the official Azure documentation: Virtual network service endpoints documentation.
How to add a Service Endpoint to a subnet
You can enable Service Endpoints using the Azure portal, Azure CLI, PowerShell, or an ARM/Terraform template. Enabling is done at the subnet level and is scoped to one or more service types. Examples:- Azure CLI
- Azure PowerShell
- ARM template snippet (enable storage service endpoint on a subnet)
Post-configuration steps
- On the target Azure service (for example, a storage account), set the network/firewall rules to allow access from the VNet/subnet. For Storage Accounts, add the VNet/subnet under the “Firewalls and virtual networks” settings.
- Validate connectivity from a VM or resource within the subnet to the service endpoint.
- Monitor traffic and logs to confirm traffic is flowing over the Azure backbone.
Quick comparison: Service Endpoint vs Private Endpoint
References
- Azure Virtual Network service endpoints overview
- Configure service endpoints for Azure Storage
- Azure Private Endpoint vs Service Endpoint