Azure Virtual Network and PaaS Network Controls 

Sir John, I have seen hours and hours of your content by now and have also spent considerable amount of time on videos by other creators. Not to negate others' work but in my humble opinion, you have a special gift when it comes to explaining the concepts. For students and IT professionals looking for training in Azure, you are really doing God's work. Thank you

Thank you very much for the video John. As I always say: You are saving us to google/discard/re-google/find/read/understand/re-read a lot of documents. The explanation is great all the times. Thanks for your videos. I lost the count on how many times I am grateful to find one of your materials when I am in a struggle. Keep the good work please !

As always, so good. Just nicely summarizes the most important points rather than me trying to connect the many dots from the docs and being confused how it fits together. Thanks!

Thanks John. I was under the impression that applying an NSG at Subnet level and also applying a NSG at VM level is going to offer double protection. thanks for the clarification 😃

Finally, I understood the fundamental difference between Service Endpoint vs Private Endpoint. My goodness, the best explantion ever !

You sir are so much better than every other Azure expert you need to pay for. Your videos help me a lot. ❤👍

It very quickly became my main source of knowledge for Azure. Wish I've known the channel before. Thanks for another great video. Really appreciated. It's not easy to organize and explain so much in so little time.

Thanks so much for these clear and well explained videos. So many others and even the MS docs I find speak in riddles adding to confusion, watching your videos gives me clarity and peace of mind.

I've never been happier in my life to have found someone, i felt stuck before, i dont know how you get it through so well but you do. Thanks alot John absolute life saver

Dude that was the best distilled explanation of all that verbose MSFT documentation. Thank you so much!!! I'm working on a project designing an Azure architecture with subnets. It's good to know that PaaS services don't require a protected subnet if we can use private links, if I'm understanding right.

You are Superman of Azure ...Your every video is just perfect and best available in youtube . Concepts explained are so crystal clear that you dont need to fetch anywhere else for doubts..

Loving that fact that you're now surfacing this sort of stuff on RU-vid - I've long followed your material on PluralSight and have found it very valuable in the past. Not sire if you're looking for suggestions on more things to cover, but here are a couple from me: (a) Could you shed a bit more light on the various ExpressRoute Peering options (Microsoft Peering vs Private Peering) as this also seems to come in to play when it comes to consumng PaaS services in a hybrid environment. (b) Some pices on Azure Firewall/Firewall Manager would also be helpful!

Very good video John. I though I knew everything about Azure networking. I was wrong... Don't understand your statement for using Service Endpoint policies for data filtration (limit data export) though. When I have a Service Endpoint defined for storage in region A and a policy for account SA01 I can still connect through the Internet to storage in region B, C, D and to non Azure storage (dropbox, box, etc.). Can't I ? So basically I think you should do data filtration / monitoring through UDR's to Azure Firewall and there log and control whatever goes out. Azure Firewall is currently very limited in this area though because you cannot specify tags like "block download sites", "block adult sites", "block etc." (category based). You either have to use an NVA for this (Fortigate, Checkpoint, Barracuda, etc.) or do this as part of your external DNS lookup system (OpenDNS for example). And then you still have PAAS platforms (webservices for, Azure Functions, etc.) that get data and communicate directly to the Internet without going through your Azure Firewall / NVA / datamonitoring solution and copy corporate data to wherever they like. So I think the topic of datafiltration / monitoring, i.e. data leakage, is a far more complicated topic than just setting a Service Endpoint Policy....

You are making it enjoyable to learn Azure, thanks!

You have really explained this complex topic well. Hats off Bud, Chat-GPT ain't no threat to you!

Awesome John! Indeed you completed my understanding of the Networking and cleared my doubt from the last video. You are one of my best Mentor in Azure, really appreciate.

John your content == pure gold ! Thanks a lot !

Mate you video deserves more views and likes. You are clear, concise and the most valuable source of Azure knowledge online. Keep up the excellent work!

Brilliant video as others! Thank you! Do you have separate video for NVA and Azure Firewall?

In-depth explanation. Awesome. Thank you John.

Outstanding. Helps to see to see how it all ties together. Question: is private link generally preferred as a default security choice?

So good. Great clarity. I'm using service endpoints for an AKS subnet and an Azure MySQL dB but I didn't know about service endpoint policies, so that was really useful

Couldn't find a better explanation other than this. Thanks for the great content!

This is a very good video John. Thanks for keeping us up-to-speed with Azure

Brilliant as always! Pity 95% of viewers can't be bothered to hit like!

Awesome, thank you Sir John, very informative as usual, clears a lot of key networking concepts in Azure, a lot of info that falls into place and easy enough to digest with simple explanation. Cheers.

As always, great video John. Regarding applying a Service Endpoint Policy to a subnet which stops VMs in that subnet from accessing Storage Account "02", surely you could do that without such a Policy simply by turning on the firewall on SA 02 and then not allowing access from that subnet?

Thank you for the explanation.

Extremely useful video! Thank you for sharing your knowledge and very clear explanations.

Thanks as always for such a useful video!!

If you want to learn Azure, you go to John Savill!!! ;-) Great content as always, thank you very much!

thanks for one more indepth session

Really appreciate your way of explaining each things in detail..just one query what about communication between PaaS services..it won't use private endpoint..like if my SQL analysis service wants to communicate storage blob..and when I deny public access to one of my diagnostic storage account the vm stop sending diagnostic logs to storage..

Great content. Many thanks John.

Great video. I'm at around 27:52. What is not clear to me yet is how do I then lock the sql database down from any access from the internet or bad actors within azure? What are my options? I might have some different rules in mind between the service inside the subnet with the nsg assigned to it and the sql database. Consider peering and on-premise to be N/A. One other thing, I think the answer is yes to this question but i'll ask it anyway (be my rubber ducky). If I apply service endpoint policies does that also prevent me from connecting to anything that is not specified? Think the app is using a connection string to storage that is not inside the subscription or the policies. So if we want to connect to that we would need to specify it but that could mean possible data exfiltration?

Thanks John. Really useful overview

Very well explained 👍

Great video, clear and concise as always. Thanks!

Thanks John for this excellent video.

Another great video - thanks John.

Another great video! may be one on DNS for hybrid environments with an on-prem AD Integrated DNS?

great video. Although I understood previously that public IP ( not private as you stated in the video ) was used in Service Endpoints to allow traffic and not Private. For making use of Virtual Ntwork Private IP we use Private endpoint? Can you please help clarify.. thanks

Amasingggggggggggggggggg!!!!!

You are great again

Another great video, John.

thanks John, quick one....does the Service End point overrides the NSG outbound rule?

AMAZING, as usual!

Great Video John!

Excellent

Great video as always!

Hi John, Do you have any links or info surrounding DHCP on Azure. When key production service of networking is DHCP and if you are a business of multi on-prem offices, how would you move DHCP to serve PC and Data from an Azure hosted Domain Controller?

Fantastic

@John Savill So Service Endpoint you said that it is at a Subnet level and you get a direct connection to the Storage Account using a Service Endpoint. So i guess Service Endpoint can act as a security boundary. So what about Private Link, can i use Service Endpoint with Private Link? I mean how they are both different then?

got it thanks

also if we have a service end point, does it lock the PASS service to the given Vnet and we dont need Firewall setting to be changed? in Private End point its evident we dont require the Firewall rule as it attains a private IP from the Vnet but not clear on the service end point... thank you!

Awesome .. thanks

Hello, If I enable a service end point from the Subnet to example a SQL Server ( Azure Paas), do I still have to add NSG rule in outbound 443 in Subnet to allow me to connect....or that is no longer required as I enabled a Service End point already. Thank you

Why do you say (on 0:08) that Storage Account is PaaS. Doesn't it falls under IaaS?

Thank you.

Has anyone seen the blockbuster movie "Legend of the Savill", ya'll should check it out