Shulou(Shulou.com)06/02 Report--

Today, let's discuss the function of endpoint in Azure virtual network. I believe many blogs have introduced what virtual network is. Students who know more about cloud should not introduce it any more. Although different cloud manufacturers have different terms for virtual network, they are essentially the same thing. AWS and Ali are called VPC,Azure and they are called Virtual Network.

Azure virtual networks allow many types of Azure resources, such as Azure virtual machines (VM), to communicate with each other, with Internet, and with the local network in a secure manner. A virtual network is limited to one area; however, multiple virtual networks in different areas can be connected using virtual network peer-to-peer interconnection.

Azure resources can securely communicate with each other in one of the following ways:

Through virtual networks: VM and several other types of Azure resources can be deployed to virtual networks, such as Azure application service environments, Azure Kubernetes services (AKS), and Azure virtual machine sizing sets.

Through virtual network service endpoints: extend virtual network private address space and virtual network identity to Azure service resources, such as Azure storage accounts and Azure SQL databases, through direct connections. Using service endpoints can protect critical Azure service resources and allow access to customers only in their own virtual network

You can use a combination of any of the following options to connect the local computer and network to the virtual network:

Point-to-site virtual private network: establishes a connection between the virtual network in the network and a single computer. Each computer that wants to establish a connection to the virtual network must configure its connection. This connection type is suitable for people or developers who are just starting to use Azure because it requires little or no change to the existing network. The communication between the computer and the virtual network is sent through an encrypted channel through the Internet.

Site-to-site: establish a connection between the local device and the Azure gateway deployed in the virtual network. This connection type enables any authorized local resources to access the virtual network. Communication between the local device and the Azure gateway is sent via Internet through an encrypted channel.

Azure Express Route: establish a connection between the network and Azure through an Express Route partner. This connection is a private connection. Traffic does not pass through the Internet.

The above is some basic introduction to the Azure virtual network. It is noted that one of the methods of communication between Azure resources is through something called endpoint. So what is this endpoint? let's introduce it today.

First of all, let's take a look at some introduction to endpoint.

Virtual network (VNet) service endpoints extend the virtual network private address space and identity of VNet to Azure services through direct connections. Using endpoints protects critical Azure service resources by allowing access to them only in the customer's own virtual network. Traffic from VNet to Azure services is always retained in the Microsoft Azure backbone

At present, the main services that support endpoint are as follows

Azure storage: officially released in all Azure areas.

Azure SQL database: officially released in all Azure regions.

Azure SQL data Warehouse: officially released in all Azure regions.

Azure Database for PostgreSQL servers: generally available in Azure areas where database services can be used.

Azure Database for MySQL servers: generally available in Azure areas where database services can be used.

Azure Cosmos DB: officially released in all Azure public cloud regions.

Azure Key Vault: officially released in all Azure public cloud regions.

Azure service bus: officially released in all Azure public cloud areas.

Azure event Center: officially released in all Azure public cloud regions.

So what are the advantages of Endpoint?

The main points are as follows:

Improved security of Azure service resources: VNet private address spaces may overlap and cannot be used to uniquely identify traffic originating from VNet. By extending the VNet identity to services, service endpoints can limit access to Azure service resources to your virtual network. After you enable a service endpoint in a virtual network, you can protect Azure service resources in the virtual network by adding virtual network rules to the resource. This completely eliminates the possibility of accessing resources through the public Internet and allows only traffic from your own virtual network, thereby improving security.

Because the IP address of the virtual network is not necessarily unique, controlling the inbound and outbound traffic of the network in the form of IP address will often cause some misunderstandings, and because the IP address of PaaS service often changes, and there is no way to control inbound and outbound traffic through IP address, so endpoint is a very convenient method, you can directly turn on / off inbound and outbound traffic for some PaaS services through endpoint. This is a very effective supplement.

Best routing of Azure service traffic from a virtual network: currently, any route in a virtual network that forces Internet traffic through local and / or virtual devices (called forced tunnels) also forces Azure service traffic to take the same route as Internet traffic. The service endpoint provides the best route for Azure traffic.

Endpoints always forward service traffic directly from the virtual network to services on the Microsoft Azure backbone. Keeping traffic on the Azure backbone allows continuous auditing and monitoring of outbound Internet traffic from the virtual network by forcing the tunnel to continuously audit and monitor outbound Internet traffic without affecting service traffic.

By default, for the public network IP that accesses some PaaS services from Azure VM, such as Azure SQL, which is first outbound to Internet and then to PaaS service, this traffic looks like a circle in the public network. In fact, these visits still occur within the Azure data center, but it is true that the PaaS service is accessed only after outbound to Internet, so what happens after endpoint is enabled? After endpiint is enabled, a separate route to the PaaS service will be added. When accessing the PaaS service, it will jump directly to the PaaS service instead of outbound to the Internet first.

In practice, for example, accessing Azure SQL from Azure VM

Do not enable Endpoint: the client IP you see in Azure SQL will be a public network IP

Enable Endpoint: the client IP you see in Azure SQL will be a private IP.

Simple setup and less administrative overhead: it is no longer necessary to use reserved public IP addresses in the virtual network to protect Azure resources through the IP firewall. Service endpoints can be set up without using NAT or gateway devices. You can configure the service endpoint with a single click on the subnet. There is no additional overhead associated with endpoint maintenance.

Similar to the first point, turning on endpoint is much more convenient for security control.

Of course, endpoint itself has some limitations, such as:

This feature applies only to virtual networks deployed using the Azure Explorer deployment model.

The endpoint is enabled on the subnet configured in the Azure virtual network. Endpoints are not available for traffic sent locally to Azure services.

For Azure SQL, the service endpoint applies only to Azure service traffic in the virtual network area. For Azure storage, to support RA-GRS and GRS traffic, the endpoint is also extended to include the paired area to which the virtual network is deployed.

In the case of ADLS Gen 1, the VNet integration feature applies only to virtual networks in the same area.

If you say that, you may still have a vague understanding of endpoint.

Here's a practical example. For example, there is a need to ban all VM outbound traffic to internet, leaving only this traffic to Azure SQL or Azure database for MySQL.

Of course, this kind of rule is implemented by NSG, so how to set the rule?

First of all, let's take a look at the construction of the basic environment. The experiment basically includes the following Azure components.

L Azure VM * 1: EndpointVM

L Azure SQL * 1: EndpointSQL

The first step is to create a VM

Step 2: create an Azure SQL

It should be noted here that there is a setting in Azure SQL called allow access to Azure services

What does this mean? We can find out through an experiment

The following is a server that is local to me. When you access Azure SQL through the connection tool, you can see that IP is not on the whitelist.

However, when testing the connection through SSMS in Azure VM, it is found that you can access the

Test again after turning off the allow access to Azure service option

Access again in Azure VM

At this point, you will find that there is no way to access.

So in fact, when the option of allowing access to Azure services is enabled, Azure VM does not need to add a whitelist to access Azure SQL services

Test again to enable access to the Azure service, while directly restricting all outbound in the security group

Enable the option to allow access to the Azure service, but restrict all outbound, test the access again, and the access failure prompt timed out

That is to say: when you enable the option to allow access to Azure services, you just don't need to open the whitelist of IP separately. At that time, you didn't go directly to the private network, but you actually went to the public network, only because it was the IP of Azure during testing, so it was released directly, which is different from enabling endpoint.

Turn off the allow access to Azure service option

Add Endpoint after that

You can see that endPoint has been added successfully

Add virtual network rules after that

Test again, still unable to access

Rules for allowing outbound added to Azure SQL

Test again

Can be connected

So, to sum up, through endpoint, you can easily control IaaS VM's access to PaaS services.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.