[Azure Cloud] What is the difference between a service endpoint and a private link?point of view (1)

很长一段时间以来,If you are in manyAzureUse multi-tenancy on the service、PaaS版本,then you have to passinternet访问它们,And there is no way to restrict access to your resources.This limitation is mainly due to the complexity of imposing this limitation on multi-tenant services.目前,The only way to get this limitation is to consider a single-tenant solution,Such as application service environment（ASE)或在VMrun the service itself,而不是使用PaaS.

This kind of public access is a concern for many,So Microsoft implemented new services that allow you to restrict access to these multi-tenant services.今天,We have two solutions that look very similar on the surface:Service endpoints and private links.Both services are designed to allow you to restrict who connects to your service and how.因此,It can be confusing to know which service to use and what its benefits are.在本文中,We will look into these services,And try to make the decision more clear.

注意,在本文中,We're only talking about public multi-tenancyPaaS服务的方法,而没有讨论“Private Link Service”( “Private Link Service”),It allows service providers to expose services to clients via private links.

服务端点(Service EndPoint)

Service endpoints were the first services introduced to allow locking down multi-tenant services.Service endpoints allow you to pair PaaSAccess to the resource is restricted to fromAzureVirtual network traffic.for service endpoints,PaaSThe service remains independent of yoursvNet,Traffic leaves the virtual network for accessPaaS服务.然而,PaaSThe service is configured to recognize traffic from the virtual network and allow it,而不需要配置vNet上的公共IPto allow filtering.

Service endpoints work by enabling subnets on the virtual network to support service endpoints.完成此操作后,可以将PaaSThe resource is configured to only accept traffic from these subnets.Not asking to do anythingIP过滤或NAT转换;告诉PaaSWhere are the resources fromvNetand subnet allow traffic.When the service endpoint is enabled,PaaSResources will be seen fromvNets私有IP的流量,rather than its publicIP.

Another advantage of using service endpoints is that traffic is routed optimallyAzure资源.即使您的vNet上有UDRs来将internetTraffic is routed back locally or through the firewall device,Using a service endpoint also means that traffic is sent directly toAzure资源.

Generally available

• Azure Storage (Microsoft.Storage): Generally available in all Azure regions.
• Azure SQL Database (Microsoft.Sql): Generally available in all Azure regions.
• Azure Synapse Analytics (Microsoft.Sql): Generally available in all Azure regions.
• Azure Database for PostgreSQL server (Microsoft.Sql): Generally available in Azure regions where database service is available.
• Azure Database for MySQL server (Microsoft.Sql): Generally available in Azure regions where database service is available.
• Azure Database for MariaDB (Microsoft.Sql): Generally available in Azure regions where database service is available.
• Azure Cosmos DB (Microsoft.AzureCosmosDB): Generally available in all Azure regions.
• Azure Key Vault (Microsoft.KeyVault): Generally available in all Azure regions.
• Azure Service Bus (Microsoft.ServiceBus): Generally available in all Azure regions.
• Azure Event Hubs (Microsoft.EventHub): Generally available in all Azure regions.
• Azure Data Lake Store Gen 1 (Microsoft.AzureActiveDirectory): Generally available in all Azure regions where ADLS Gen1 is available.
• Azure App Service (Microsoft.Web): Generally available in all Azure regions where App service is available.
• Azure Cognitive Services (Microsoft.CognitiveServices): Generally available in all Azure regions where Cognitive services are available.

Public Preview

• Azure Container Registry (Microsoft.ContainerRegistry): Preview available in limited Azure regions where Azure Container Registry is available.

For the most up-to-date notifications, check the Azure Virtual Network updates page.

Service endpoints do have some limitations or disadvantages.

• 首先,关键是要记住,Traffic to service endpoints is still leaving the virtual network,Azure PaaSThe resource is still accessed on its public address.
• 通过VPN或ExpressTraffic originating locally by the route cannot use the service endpoint,Can only be used fromAzureVirtual network traffic.
• If you wish to allow access to your local resources,You also need to make them publicIP列入白名单.

更多信息:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview.

private connection(Private Link)

Private links are a newer solution than service endpoints,Introduced about a year ago.The key difference between private links and service endpoints is that,Use private links,You will be multi-tenantPaaSResources are injected into the virtual network.with the service endpoint,Traffic still leaves yoursvNet和击中PaaSThe public endpoint of the resource,with private linksPaaSResources sit on yoursvNetand get yoursvNet上的私有IP.当您向PaaSWhen the resource sends traffic,It does not leave the virtual network.

与Private Link的另一个关键区别是,当启用时,You will grant specific to the virtual networkPaaSaccess to resources.This means you are in controlPaaSexport of resources.例如,如果您愿意,您可以使用NSGto block to allAzure SQL数据库的访问,然后使用Private Linkto grant only specific to youAzure SQL服务器的访问权.

Unlike service endpoints,Private links are allowed throughVPNOr high-speed routing to access resources from your local network,As well as access from the peeping network.You can also connect to resources across regions.

可用性

One disadvantage of private links is that,To support resolution with the same namePaaS资源,您需要实现DNSto resolve the private link area of ​​a specific resource.You can go through the integrationAzure私有DNS来设置这个功能,但如果您的DNS服务已经在运行,Or you don't want to use in a virtual networkAzure私有DNS,那么这可能会有问题.

更多信息:https://docs.microsoft.com/en-us/azure/private-link/private-link-overview.

选择哪一个?

现在,You've given a quick introduction to each service,The question boils down to which service should be used?The answer will be based on several factors.

首先,Check out the resources you want to access,and see what services it supports.Some services will only be supported by one or the other,So this will choose for you.

Assuming you can use either option for your service,The decision then probably boils down to complexity.

Service endpoints are more direct than private links、更容易设置.You can enable service endpoints with a few clicks in the portal,and does not require any other services.然而,Private links require you to implementDNS更改,并可能使用Azure私有DNS,It also needs to decide where the service will connect to your virtual network.因此,如果您需要对PaaSServices quickly carry out additional access restrictions,Or have no rights or knowledge rightDNS进行更改,Then a service endpoint is probably the best option.

除了复杂性之外,Private links are superior to service endpoints in almost every other respect.If you can set this up,And your service supports it,Then I recommend you to use a private link on your service endpoint.Especially with private links,你可以:

• 加入你的PaaSresources to yoursvNet,and give it a privateIP
• Make sure that traffic stays within the virtual network
• Restrict exports to specific onesPaaS服务,and prevent data leakage
• Supports network access from live and peek
• Connect to resources across regions,甚至Azureadvertising tenants

For most attentionPaaSResource security and access restrictions for people,Private Link将是更好的选择.在这一点上,I was surprised to see that the list of resources supporting service endpoints goes beyond what is currently available,大多数PaaSThe resource wishes to publish privately linked products.

谢谢大家关注,转发,点赞.