Azure Virtual Network Service Endpoints - explained in plain English with a story and demo

This is an incredibly well done video that clearly explains the feature, use case and even where the feature can't be used and what could be used instead. I'm now a subscriber and will be looking forward to more of your videos in the future!

How can the VM make outbound connection to internet, when the NSG is only allowing outbound traffic to storage account

@cloud-monk this is a great video. Wondering if you are still active? Regarding the exfiltration service policy, if I have multiple Azure subscriptions, will the service policy work if the storage exists in a different subscription? In the example you showed, the service policy allows for single storage account or all storage accounts or storage accounts related to a resource group. Appreciate your feedback.

What a video, excellent work anand , keep your great working coming , thanks a ton for making this video
sharing.

Excellent explanation! Thank you so much!

This is really good. My only suggestion is to remove the music in the background. You have a clear way of explaining and the music is distracting

too deep for me to understand

Good.. I have a doubt with service endpoint, can we not directly allow subnet in the firewall. Then any requests which is getting into storage account will have access from the subnet

I must say Anand since the time you have stopped making videos Azure has become complex for us. please get back soon. your Fan !

Really nice video...keep up the good work!

Except for private link / private endpoint, according to MS document, you can also use NAT IP addresses to access service endpoints (for Azure Storage) from on premise network.

Thank You for your precious 5 mins video..

well done! The explanation is simply straightforward! Subscribed!

Love you monk. :)

thank you

I'm thinking "how would I explain service endpoint to my grandma" - and I see this. Brilliant video - simple, crisp and beautifully narrated !

Don't have word to praise you buddy. Totally awesome... Thanks a lot.

Just loved the simplicity!!!

How does the VM make outbound connections to the internet after you add a rule to allow 443 to Storage.EastUS? The next rule denies all outbound to the Internet. So if they traffic isn't 443, or isn't destined for Storage.EastUS it will be denied.

good one

I LOVE ridiculously simple! It is so effective and efficient to teach after building a foundation of understanding the "why". Great job Anand, thank you!

Why route the traffic from the webserver through on-premise in the first place? Why not create another subnet, with a public internet facing firewall and have it route through that?

Good quality stuff, thanks

As you stated, a video explained in plain English with a wonderful use case demo. The question I have is what service would I used if I want to limit access to the storage account from the subnet in the VNET and also allow public access locked down via ACL? Would that be where private endpoint/link is used? To clarify, is Service endpoint only used when you want to eliminate public access to the storage account?

Thx again!

Great explanation.

What is private endpoint?

How is a service-endpoint-policy tied to a specific service-endpoint ?

Super ..

Amazing Videos Sir and thanks a lot for providing the same to us ok n free. Sir Could you please create some detailed videos on RBAC, Azure Internet Net and Troubleshooting. By troubleshoot i mean if i am not able to communicate to some virtual machines or any services or any outside network, how to troubleshoot using Azure tools. It would be a great help sir 🙂. pl. Stay Safe..!!

Thank you so much! Amazing explanation!

Once Service Endpoints are enabled, is it must to add an NSG Outbound entry to destination "Storage.Region" if I have an outbound block to any destinations in my NSG? My NSG currently blocks all outbound traffic and then allows outbound traffic only to a set of known Private IP subnets. Also, what about some storage accounts which get created when enabling certain services in Azure (eg. boot diagnostics). How would I know where the data is coming from to these Storage Accounts? Simply put, my situation is, I have several storage accounts that are created in the past, and now I need to limit access to them from my Vnets without hitting the public internet. I am afraid that enabling service accounts might disrupt something as I am not very sure what writes data to those storage accounts as some of them were created by a previous Azure Administrator who worked with the company before I joined.

just amazing explanation!!

I will subscribe your channel .. your are 👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌

Excellent video - thank you

Excellent! Congratulations for this amazing explanation!

The background music made me feel like in kindergarden :D,I really needed simple explanation. thank you:D

Wow!!!!

Great vid, was very easy to follow, appreciate you taking the time to put this together.

The only question I had was when you gave the example of egress traffic you specified in the outbound rules to allow storage traffic which you said traversed the Azure backbone network but then mentioned other traffic leaving the VM for the internet. In your outbound ACL it looked like you had that locked down so I was wondering how that would be possible, wouldn't the ACL stop any other traffic egressing to the inet from the VM?

This is one of most simple and helpful video to learn! Thank you!!

This is an awesome explanation. Thank you so much for this.

No words for this amazing stuff. I was just wondering if you conduct online trainings too. Pls reply. Thnks

can you make a video on the forced tunneling route to route all azure internet request to go through on-prem?

Thanks. Great video. My question is do you need to link the endpoint service policy to the subnet or end point service? If not, how does the endpoint service policy know which subnet to apply?

very well explained . best part is the used case which for newbee's like me at times is difficult to comprehend .

Great content.very well explained....keep going...u r the gem in teaching