Peering – Gaining the Azure Data Engineer Associate Certification
This is a relatively easy concept to grasp. It means that you can connect two or more VNets together. Resources in VNet A can have access to resources in VNet B. You can make the access between the two VNets the same, or perhaps you wouldn’t want resources in VNet B to have any or limited access to resources in VNet A.
Azure Private Link/Endpoint
So far, you have read about what is referred to as a global discoverable endpoint. Many Azure products are allocated these by default when provisioned. Here is an example of a few, where * represents the name of the provisioned product, which must be unique.
To make the endpoint private, which means it is not visible on the Internet, you need to provision an Azure Private Link Service. Then, you can bind any of the endpoints shown in the list to that service, and it makes them invisible to anyone excluding the services you configure to allow discoverability. Keep in mind that this is different from simply configuring a firewall or IP restrictions. Those two actions restrict what can pass through to the resources, but the endpoint remains visible on the Internet. A private endpoint makes the endpoint invisible and then secured using a firewall or IP restriction.
Service Endpoints
This feature existed before Azure Private Links, but you should use Azure Private Links instead of Service Endpoints. If you use Service Endpoints, the global endpoint remains discoverable, but only resources that exist in the integrated VNet are allowed to access the bound resource, and vice versa. For example, if you have an Azure VM residing in a VNet and integrate an Azure App Service with the VNet, then enable Service Endpoints, that would mean that the Azure VM within the VNet can access the Azure App Service and nothing else. Of course, you have control over that—you could allow more or less access. The beauty of this product is the elevated level of security with very low configuration complexity.
Service Tags
A difficulty when setting up security that uses IP addresses is finding out which ones need to be allowed and which ones denied. When setting up these kinds of restrictions on Azure, instead of setting a restriction based on IP, you use a service tag, which will give all machines that run a specific service access to your protected service. For example, AzureKeyVault, AzureMonitor, Sql, and Storage are service tags that give access to those services to your Azure resource instead of restricting to a single IP or range of IPs.
Other Products
Let’s look at other networking‐related Azure products you should be familiar with.
This is a relatively easy concept to grasp. It means that you can connect two or more VNets together. Resources in VNet A can have access to resources in VNet B. You can make the access between the two VNets the same, or perhaps you wouldn’t want resources in VNet B to have any or…
