This is an incredibly well done video that clearly explains the feature, use case and even where the feature can't be used and what could be used instead. I'm now a subscriber and will be looking forward to more of your videos in the future!
You made a super clear, easy-to-understand video. I watched the private link video too and subscribed your channel. I can't thank you enough. You are awesome.
I LOVE ridiculously simple! It is so effective and efficient to teach after building a foundation of understanding the "why". Great job Anand, thank you!
Hello elinspirada - you have no idea how much of a positive impact your comment left on me. I started and got the idea and finished the video on "Windows Virtual Desktop" ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-gC-Z_mHBtWg.html only because of this one single feedback. I am so going to use this for all my future videos - I did not even realize i was doing this :). Thank you so much !
Thank you Anup - feel free to check this video out on Windows Virtual Desktop - ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-gC-Z_mHBtWg.html and more shortly
Really good explanation with subtle hints on the routing preference in Azure plus the benefit if locking down PaaS access with the help of outbound NSG rules. Visuals help a broad range of audience as well
Thank you Chinmay - here is the link for Private link and Private endpoint - ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-vVDql7IKneg.html - let me know your feedback
The narrator mentions 'azure sql' but that isn't displayed. Is he referring to the blob storage? If yes then he should use consistent terminology in the video
Great Explanation, thank you very much! I have a question, In the last scenario before defining the "Service Endpoint Policies", how can a VM connect to any storage resource within the region? we had to make a step of adding the Vnet to the storage instance in our RG, and we didn't do it for any other storage resource, so how will it be able to connect to other? Thanks!
As you stated, a video explained in plain English with a wonderful use case demo. The question I have is what service would I used if I want to limit access to the storage account from the subnet in the VNET and also allow public access locked down via ACL? Would that be where private endpoint/link is used? To clarify, is Service endpoint only used when you want to eliminate public access to the storage account? Thx again!
Thank you for the feedback. You could use service endpoints/ private endpoints in conjunction with public access to storage account if needed or just use service endpoint/private endpoints exclusively as well. I have another video on private endpoint please check that out for further clarification. Hope that is helpful
I am amazed by the ease with which you have explained it. Would you mind answering the following questoin. As soon as we add a service endpoint for a PaaS service, does that service gets allocated in one of the subnet of the virtual network or its IP is still out of the Virtual Network ?
Thank you Faizal for the feedback. The service does not get allocated inside the subnet, the IP is still outside of the Virtual network - but it is being accessed in a secure way - hope this helps
Except for private link / private endpoint, according to MS document, you can also use NAT IP addresses to access service endpoints (for Azure Storage) from on premise network.
Great explanation. well structured with explanation of why and how. One question when you define Service end ponint policy, you dont need to attach it to storage?
@cloud-monk this is a great video. Wondering if you are still active? Regarding the exfiltration service policy, if I have multiple Azure subscriptions, will the service policy work if the storage exists in a different subscription? In the example you showed, the service policy allows for single storage account or all storage accounts or storage accounts related to a resource group. Appreciate your feedback.
Hi, Firstly thank you for the very simple explanation of service endpoints. I had a question regarding 1 point that you mentioned in your video, that if i implement forced tunneling , the traffic from the subnet to the azure service will also be routed to onpremise. However the microsoft documentation states that service endpoints always take the optimal route , and the traffic is sent directly from the subnet to the azure service even if there is forced tunelling implemented, thus the traffic does not have to leave the microsoft azure backbone network.
Good.. I have a doubt with service endpoint, can we not directly allow subnet in the firewall. Then any requests which is getting into storage account will have access from the subnet
Once Service Endpoints are enabled, is it must to add an NSG Outbound entry to destination "Storage.Region" if I have an outbound block to any destinations in my NSG? My NSG currently blocks all outbound traffic and then allows outbound traffic only to a set of known Private IP subnets. Also, what about some storage accounts which get created when enabling certain services in Azure (eg. boot diagnostics). How would I know where the data is coming from to these Storage Accounts? Simply put, my situation is, I have several storage accounts that are created in the past, and now I need to limit access to them from my Vnets without hitting the public internet. I am afraid that enabling service accounts might disrupt something as I am not very sure what writes data to those storage accounts as some of them were created by a previous Azure Administrator who worked with the company before I joined.
Great vid, was very easy to follow, appreciate you taking the time to put this together. The only question I had was when you gave the example of egress traffic you specified in the outbound rules to allow storage traffic which you said traversed the Azure backbone network but then mentioned other traffic leaving the VM for the internet. In your outbound ACL it looked like you had that locked down so I was wondering how that would be possible, wouldn't the ACL stop any other traffic egressing to the inet from the VM?
Thank you Todd, that is correct if the outbound ACL only has storage endpoints internet traffic will be dropped by NSG. However the assumption is if they would need to allow internet traffic that ACL will be adjusted accordingly- apologies I didn't call that out in the video - thanks for noticing
At 4:56,you said that vm making outbound calls to the public internet. How can that be possible,since you defined only 1 rule to access storage account and all other internet outbound is blocked by your NSG rules.
Thanks Sir, Simple and precise explanation. is it possible to share the name of software you used to create this video? Also do you have a video showing the one to one mapping of traditional network and azure virtual network as it is a bit confusing to understand?
Why route the traffic from the webserver through on-premise in the first place? Why not create another subnet, with a public internet facing firewall and have it route through that?
Superb pin to pin explanation I am new to Azure and your explanation is just wow!!! can you please post videos on Azure probably more focused on Certification and concepts.
Thank you Srinivas - sure at this point I'm focusing on both Azure and Kubernetes- so you will see a rhythm of topics. Next Azure video is ExpressRoute deep dive for beginners, watch out for those - if you are interested and please suggest topics if you do have any for upcoming videos !
@@cloud-monk Sure sir!!! Apart from me telling I believe you being an SME are the best to decide this..🙂 and I have subscribed and eager to have for more learning from your videos..🙂
At 4:37, you mentioned that the communication between VM and blob storage happens over Microsoft backbone. I have a question here. Do you mean to say that adding the client IP address of VM as a firewall rule in storage account, will automatically route the traffic through Microsoft backbone? What if the client IP address I am adding in the firewall rule is the IP address of my PC at home? In that case also, will the communication happen over Microsoft backbone? Sorry, I am little confused here.
If you are accessing from home that would not stay ONLY in the microsoft backbone, however if you are accessing storage from an azure vm it will always stay in the azure backbone
I have 2 questions: 1:27, the Private IP of the VM is translated to Public Ip due to a NAT gateway? 4:47, VM is making outbound calls to the internet but NSG has a deny outbound rule for public internet.
I know we interacted over Twitter for the same question, but for the benefit of the audience here I'm posting the response: "I assume you are referring to my service endpoint video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-gxsitRRgylI.html if yes, 1. that is correct the private IP can be NATed using a NAT gateway too. 2. Correct the outbound NSG has internet allow in order to access it. Hope this helps"
@@cloud-monk - I had the same questions as Roy, so thank you for replying! If I understand correctly then, in 1:27, the translated IP is the PIP resource if one is assigned, a NAT gateway IP address if that is being used or finally the auto-assigned Microsoft NAT address (which can change) if neither of the previous are used - correct? At 4:47, the scenario has changed and now the security department is allowing internet traffic from the VM, so rule 500 is removed and a UDR is created to force traffic through the on-premise firewall, correct? Thanks again for the great video!
Amazing Videos Sir and thanks a lot for providing the same to us ok n free. Sir Could you please create some detailed videos on RBAC, Azure Internet Net and Troubleshooting. By troubleshoot i mean if i am not able to communicate to some virtual machines or any services or any outside network, how to troubleshoot using Azure tools. It would be a great help sir 🙂. pl. Stay Safe..!!
How does the VM make outbound connections to the internet after you add a rule to allow 443 to Storage.EastUS? The next rule denies all outbound to the Internet. So if they traffic isn't 443, or isn't destined for Storage.EastUS it will be denied.
Not yet - all my content is either on RU-vid or on my blog, but will keep you posted as when I have more structured trainings. Thank you for the feedback
Thanks. Great video. My question is do you need to link the endpoint service policy to the subnet or end point service? If not, how does the endpoint service policy know which subnet to apply?
Hello. How to undo the process? I have tried to create a service endpoints and it was successfully deployed, however, when I tried to undo the process because I wanted to access file share storage again via public ip address I can't access it anymore even though I deleted the vnet and service endpoints. Also I have tried to create new file share it doesn't allow me to create a new one. Hope you can help me. Thank you.
Deleting service endpoints only deleted the routes. You will be able to access the service as long as you have the firewall on the service with the appropriate entries.
You can - but that will break the communication to the PaaS services which have public IPs like storage - unless we use forced tunnel, service endpoints or private endpoints
