Skip to main content
This lesson explains Azure Virtual Network Service Endpoints and shows how to add them to a subnet. Azure Virtual Network Service Endpoints enable resources inside your virtual network (VMs, App Services, AKS nodes, etc.) to connect to specific Azure platform services—such as Storage, SQL Database, and Cosmos DB—over the Microsoft Azure backbone. This keeps traffic off the public internet, reduces exposure, and lets you lock down service access to particular subnets. What you will learn:
  • What a Service Endpoint is and how it works
  • How to add Service Endpoints to a subnet
The image shows a slide titled "Learning objectives" with two points: understanding what a Service Endpoint is and adding Service Endpoints to a subnet.
By the end of this lesson you’ll be able to securely access Azure platform services from within your virtual network and restrict those services to chosen subnets.
Service Endpoints extend your VNet identity to supported Azure services so you can apply service-level network restrictions (for example, firewall rules or resource-level access) scoped to one or more subnets.

What is a Service Endpoint?

A Service Endpoint is a virtual network-level feature that provides secure, direct connectivity from a subnet to specific Azure platform services over the Azure backbone network. When a Service Endpoint is enabled on a subnet, traffic between resources in that subnet and the Azure service stays on Microsoft’s network rather than traversing the public internet. Core characteristics:
  • Uses the Azure backbone for traffic between your VNet and supported Azure services.
  • Lets you configure service-level firewall rules to allow traffic only from selected subnets.
  • Is configured per-subnet and per-service type (for example, Microsoft.Storage).

Why use Service Endpoints?

  • Improved security: traffic does not leave the Microsoft network.
  • Access control: restrict Azure service access to specific subnets or VNets.
  • Simplicity: minimal changes to application code; works with existing public endpoints but enforces subnet-based access control.
  • Lower latency and improved reliability compared to internet paths.
Service Endpoints do not assign private IPs to Azure services. If you need private connectivity with private IP addresses (for full network isolation), use Azure Private Endpoint instead.

Supported services (examples)

For a complete and up-to-date list of supported services, see the official Azure documentation: Virtual network service endpoints documentation.

How to add a Service Endpoint to a subnet

You can enable Service Endpoints using the Azure portal, Azure CLI, PowerShell, or an ARM/Terraform template. Enabling is done at the subnet level and is scoped to one or more service types. Examples:
  • Azure CLI
  • Azure PowerShell
  • ARM template snippet (enable storage service endpoint on a subnet)

Post-configuration steps

  1. On the target Azure service (for example, a storage account), set the network/firewall rules to allow access from the VNet/subnet. For Storage Accounts, add the VNet/subnet under the “Firewalls and virtual networks” settings.
  2. Validate connectivity from a VM or resource within the subnet to the service endpoint.
  3. Monitor traffic and logs to confirm traffic is flowing over the Azure backbone.

Quick comparison: Service Endpoint vs Private Endpoint

References

This completes the introduction. Next, we’ll walk through a hands-on example of enabling a service endpoint for Storage on a subnet and configuring the Storage Account firewall to accept only that subnet.

Watch Video