Azure Service Endpoint and Private Endpoint Overview and Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I go over virtual network private endpoints and service endpoints hello everyone I'm Travis and this is ciraltos public cloud services are great but there's time the one you want data in the cloud to be a little less well public that's what service endpoints are for they limit public access to some Azure services to a v-net or a subnet before that I'd like to remind you to subscribe and click the like button if you enjoy the videos don't forget the bell icon to get notifications of new content and thank you for subscribing let's start with service endpoints access can be restricted to a virtual subnet or public IP let's use a storage account as an example by default storage accounts are accessible by the public Internet the goal then would be to block access to only allow traffic from a subnet or a resource on an on-premises network a subnet is selected when enabling service endpoints the routing table on the subnet is updated to route traffic to the service end points before routing to the Internet traffic from the subnet can access the storage account by its external IP address traffic flows over the azure network not the public Internet at that point all other traffic is blocked to the storage account there's a firewall for the storage account so for example an external IP address a range of addresses can be added to allow access to the resource if you have Express Route you can allow the NAT IP address of the Express route to the firewall to gain access that way here are some key points for a service endpoint it maintains a public IP address the service does not get a private IP address the service endpoint is accessible by Microsoft DNS because the IP address hasn't changed DNS stays the same it's not available from private on-premises networks for example you may want to access a service endpoint over a site-to-site VPN with private IPS that won't work because there's no private IP assigned to the service endpoint you can however add your organisations public IP to the firewall and allow access to the resource that way service endpoints are available with the services listed on the screen private endpoints accomplish a similar task but work differently with private endpoints a virtual network interface is added to the resource that connects to the v-net the network interface has a private IP address and behaves similar to other network devices on the network because the private endpoint exists on the v-net of the private IP on-premises devices connected with a VPN or Express route can access that resource over the private connection the storage firewall can block all or limit access to the storage account from the public network here are some key points on private endpoints all public access to the storage account can be blocked by the storage firewall internal as your DNS resolves as a storage account hostname to the private IP address external DNS resolves to the public IP and network security groups are not applied to the network private endpoints network interface outbound network security group rules can be applied to other network resources to block traffic to the private endpoint if needed here are a list of services that are available for private endpoints also remember that private endpoints are currently in public preview let's see this in action the demo starts out with a VM on a subnet in an existing V net there are two storage accounts configured one to use for the service endpoint and one for the private endpoint demo this demo goes over setting up a service endpoint and verifying access than a private endpoint in Access along the way we configure custom DNS settings on a Windows DNS server and block public access to a private endpoint storage account ok everyone here I am at my portal and I'm just gonna go through and show what I'm doing I'm gonna start with a subnet so they go to my network resource group go to VNets and subnet so I'm going to add a service endpoint to the subnet this one here called endpoints and I just want to show that currently there's no service endpoints configured and next I'll go back to endpoints I've got a resource group here with all my resources that I'll use during this I've got a virtual machine and that's connected to that endpoint subnet we just looked at and then two storage accounts one is for the private endpoint test the other one is for the service endpoint test I've also got the machine that I'm recording on it's behind a public IP that's not part of the V net so the first thing I'm going to do is go to storage accounts and I'm going to go to the service endpoint so this is a storage account I'll use for service endpoints next I'm going to connect to the storage account from both machines one on the V net and the one off the V net so let's go to access keys and I'll copy the account name and this is the azure storage Explorer I'm gonna use that to test connectivity this is on my local machine not connected to the V net so I'm going to attach the storage account and I'll username and key I'll paste that name in I'll use that for the account name and the display name next I'll come back and grab the key I'll paste the key in and connect and here I can go in and I can see there's a test or a temp directory in this file share so that's working I can connect to that storage account from outside the V net with no problem now I'm back on the machine that is attached to the V net and I'm going to do the same thing I'm just going to connect to that same storage account using the storage account name and key and I already have the key copied so I'm just going to paste that in first and I'll come back here and grab the storage account name okay so now I'm connected to the same storage account and again this is testing service endpoint from a virtual machine connected to the V net and a computer accessing by a public IP address now let's enable service endpoints so I'm going to go back to the portal and go to firewalls and virtual networks and I'll select a network and I'm going to add an existing network this is what will create the service endpoint so I'm selecting it my subscription and notice if you had access to more than one subscription it would show up here I'm gonna select the V net I only have one in this region and you can see I can add multiple subnets I'm just going to add this endpoints subnet and I'll enable that will enable service end points for that subnet and I'll click Add and then save and keep in mind that craving service endpoints on a subnet has to update the routing table and may cause a disruption on any active connections within that subnet so now that's done let's go back to storage Explorer on my local machine that's not attached to that subnet if i refresh go to file shares I get an error message right away I never go to tables I get the same message so I'm denied access to that storage account from a machine that's connecting over the Internet next let's go back to the virtual machine that's attached to the V net we just enabled service endpoints on and here if i refresh like still access so with service endpoints I'm only allowed to access that storage account from the subnets I've selected I'm using a storage account in this example but it would work the same way with SQL server or any other service that's supported for service endpoints but what if there's a case where you did want a machine or a group of machines to access that from over the Internet for example maybe somebody needs to access it from your corporate network I'm gonna go back to my local machine and go to ipchicken.com this site simply gives me the current external IP address the machines accessing from so I'll copy that and add that as an IP address and you can see here it has that IP address defined already you can add a single IP address to this or multiple using blocks of IP addresses so now if I click Save and I'll come back to storage explorer that's installed locally on my machine and do a refresh and now I have access again now let's go back to the portal and go to virtual networks I'll select the v-net subnets that endpoints subnet is where that virtual machine was installed and now it's showing that Microsoft.storage is a service endpoint on this vnet so the way this works is access to that machine's public IP address is only allowed by defined subnets or by public IP addresses that are allowed through the firewall access to that storage account is still going to the public IP address though there's no private IP address defined for that resource for that we need private endpoints let's do that next I'm going to go back to my resource groups and we'll go to the endpoints resource group that I have set up for this test and here you can see I have a Cir private endpoint this is the storage account I'm using to test private endpoints so next let's connect both of those instances of storage Explorer to the storage account so I'm going to need keys and the storage account name so I'll grab the storage account name and first up I'm just gonna get rid of this one I just detached the service endpoint storage account we were just using and now I'll add a new one and this will be the private endpoint storage account we're going to use next and I'll go get that key and connect so just like the other one I have a test share and I can access that outside of the V net from a public network so now I'm connected to the virtual machine that's attached to the endpoint subnet and I'm going to disconnect the service endpoint storage account we were just using next I'll attach the private endpoint storage account again with storage account name and keys and I still have that key copied to the clipboard so I'll paste that in and I'll come back to the portal and get the account name here you can see it's the same account on two different machines next let's configure the private endpoint go back to the azure portal and we're in the Cir private endpoint storage account and this time we're going to private endpoint connections and we'll add a private endpoint I'll leave the subscription as it is and the endpoint as it is I'll give it a name and change the region to central u.s. so that's the name of the private endpoint I was asking for the resource and I'm going to connect to an azure resource in my directory I'll select the resource type of storage accounts I'm going to select a storage account and here is Cir private endpoint that's the one that I want and the target sub resource we'll be file notice that there's a sub resource for each resource type on that storage account if I wanted to set up a private endpoint for let's say blob queue and file I'd have to come in here three times and create each one separately so I'm just going to do file next configuration and I'm adding it to the endpoint subnet I created just for this test leave private DNS as its configured we'll come back to that in just a second next we'll go to tags and review and create and create this will take a minute or two to finish okay the deployment is complete now let's see what that did if we go back to resource groups and go into the resource group I'm working out of endpoints we can see we have a couple new resources in here we have a private endpoint network interface and a privendpoint1 which is the private endpoint we created we go into that we can see some details first I'm going to point out this fully qualified domain name and notice that's pointing to an internal IP address 10.0.205.6 that's the subnet this endpoint is connected to it's also the subnet that my virtual machine I'm testing on is connected to and if we go back and look at that network interface we can see its IP configuration next I'm going to go to virtual networks I'm going to go to the Vnet and DNS servers this is the Vnet connected to and notice I have a private IP addresses listed for my custom DNS servers with a default azure provided DNS when you resolve the storage endpoint URL from outside the V net with the private endpoint it resolves to the public IP address of the storage service when resolved from the V net hosting the private endpoint the storage endpoint URL resolves to the private endpoint IP address so in a nutshell if your side of the v-net it resolves to the public IP address if you're inside the V net it resolves to that private IP address so let's give that a try because we have a machine that's both inside and outside of that Vnet so I'll start with the machine that's outside the VNet and if I do an NSlookup to that storage end point here it's coming back with that public IP address at 52.230.240.76 that's exactly what I'd expect next let's go to the machine that's inside the V net Here I am on the machine that is inside the V net and I'm going to run that same command nslookup and type in the end point name and that also is resolving to the external IP address and that is a problem and the reason that's doing this is because I'm using the non default DNS settings the DNS server on this machine is pointed at a domain controller which is resolving that hostname through the normal external process and returning an external IP address but there is an easy way to fix this with Windows DNS I'm going to go to the DNS server so here I am on the domain controller that's hosting DNS I'm going to go into DNS and I'm going to create a new forward look up zone I'll click Next it's going to be a primary zone to all servers and I'll add the private link zone name for this zone before I click Next let me point out one other thing I'm going to go into the command window and run that nslookup command again and you notice not only does it return the address it also returns to alliances the first one is a domain name we entered the second one is this cirprivate privatelink.files.core. windows.net that's the alias we're gonna use to resolve the domain name to a private IP address so I'll come back to my zone I'll click Next dynamic updates are fine just go through this so now I have the private link to file that court out windows net zone on my DNS servers next we'll add the host with the private IP address so I'll add a new host the name was cirprivateendpoint that's the name of the storage account next we need to find the IP address I forgot what that was so let's go back to the portal here's the network interface for the private endpoint and there's the IP address so I'll just copy that to the clipboard come back to the DNS server and paste that in and add the host let's test that out I'm gonna go back to the server that's attached to this V net that was resolving to the external IP address first I'm going to run IP config flush DNS to clear out the cache and then run the nslookup command again there we go now it's resolving the hostname to the private internal IP address you shouldn't have to do that if you leave your DNS settings to default but if you're using a custom DNS domain controller in my example you will have to update that also and this is important you need to do the same for other private links as well this worked for file services but you'd also need to add web for static websites or blob for blob storage or database for SQL server private endpoints although I don't have another private endpoint to configure I'm going to add blob private endpoint DNS information just so you can see how that would look so if I go back to the DNS server I'm going to add another zone we'll click Next everything's default then when I get to the zone name I have to add the private link for the blob storage next I need to find that zone name for blob storage so I'm gonna hop over to my portal and then open up a new link I'll include this link in the notes below for reference but here we can see all of the private zone names that need to be added to the DNS server when using a private DNS server so you can see here for blob its private link blob core windows.net so I'll just copy that go back to the DNS server and paste it in and click Next to finish so now I have those two zones from here I'd add the hostname for any private endpoint blob storage I may have configured and the unfortunate part is this would have to be set up for each private link type and the host record has to be added manually so now that that's configured let's go back to the server this machine is resolving Cirprivate.endpoint.file.core.windows.net to the 10.0.205.6 internal IP address and if I do a refresh I still have access next I'll go to the machine that's not connected to the V net and I'll run that nslookup command again so it's resolving still to the external IP address now if I go to storage Explorer on that machine that's not attached to the V net I can do a refresh and see that it is connecting one of the reasons you may be doing a private endpoint is to prevent machines outside of the V net from accessing that resource so let's prevent that next I'm going to go back to the bordel and I'll find my storage account cirprivateendpoint I'm going to go to firewalls and virtual networks and I'm going to allow access from selected Network now if I just save this so basically this is telling it to allow access from the networks we selected and we haven't selected any so now if I go back to Explorer on the machine that's not on the v-net and I'll do a refresh and I get an error when I try to access the file share next let's go back to the machine that's connected to the V net I'll do a refresh and here we can still access it I have one more thing to test I have a site-to-site VPN connection between my home lab and this V net I should be able to access the storage account from one of my machines in my home lab so let's give that a try first let's run IP config flushy dns that will clear out anything in the cache and then we'll run the nslookup command against that storage account that's what I expected we got the private IP address and return next let's go to storage Explorer and attach that storage account we'll attach an account we'll use storage account name and key give it the display name and I need to grab that key so I'll go back to the portal and let's go into that storage account access keys and copy that key to the clipboard and we'll paste it in and connect so it's successfully added the connection and we can test account and let's just look at this URL we can see the URL is the Cirprivate endpoint dot file that core dot windows net and that URL is resolving to the 10.0.205.6 and i'm on a machine on a different subnet so this does allow me to access the storage account over a VPN connection this is unlike the service endpoint that could only be scoped at the subnet level that's it for the demo we created a service endpoint and we allowed public IP addresses through the firewall to that service endpoint then we created a public endpoint that allowed traffic from the v-net we configured the firewall to block external traffic and test it out over the site to site VPN connection to verify it works as expected thanks for watching I hope you found this video helpful please don't forget to subscribe like and click the bell icon for notifications of new content thank you
Info
Channel: Travis Roberts
Views: 25,844
Rating: undefined out of 5
Keywords: Azure, VNet, Networking, Security, cloud security, storage account, storage, private endpoint, service endpoint, cloud, cloud computing, sysadmin, Nslookup SQL server, azure sql, VPN, sit to site, tutorial, learning, az103, Microsoft, DNS, DNS Forward, DNS Private Zone, custom DNS Server, Private Endpoint DNS
Id: HbVCi2NcKyU
Channel Id: undefined
Length: 24min 15sec (1455 seconds)
Published: Sun Feb 23 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.