Private Endpoints

Private PaaS access, no public exposure.

Advanced25 min · lesson 12 of 15

A recurring administrator goal is keeping Azure PaaS services off the public internet. Private Endpoints and service endpoints, combined with disabling public access, make managed services reachable only from your network.

Private Endpoints over public access

By default, many PaaS services (Storage, SQL Database, Key Vault) have public endpoints reachable from the internet, protected only by keys and firewall rules. A Private Endpoint projects the service into your VNet as a private IP, so traffic to it never leaves the Azure backbone — and critically, you can then disable public network access entirely, removing the internet attack surface. This is stronger than the older service endpoints, which route to the service’s public IP over the backbone but leave it publicly reachable. Resolve the private IPs through Azure Private DNS zones so application connection strings work unchanged. The combination — Private Endpoint plus disabled public access — means even a leaked key cannot reach the service from outside your network.

lock a PaaS service to your VNet
# Create a private endpoint for a storage account in your subnet...
az network private-endpoint create -g net-rg -n st-pe \
--vnet-name app-vnet --subnet data \
--private-connection-resource-id <storage-account-id> \
--group-id blob --connection-name st-conn
# ...then remove all public network access — only the VNet can reach it now.
az storage account update -g data-rg -n contosodata \
--public-network-access Disabled --default-action Deny

Private by default across the estate

Apply this pattern consistently: Storage, SQL, Key Vault, Cosmos DB, and container registries should all be reachable only via Private Endpoints with public access disabled, resolved through Private DNS zones. Enforce it with Azure Policy so a resource created with public access is flagged or denied, making "private by default" a property of the platform rather than a thing each team must remember. This ties together the networking topics: private subnets for workloads, NSGs allowing only necessary flows, private connectivity between networks (peering, gateways), and private access to PaaS services (Private Endpoints). The result is a network where nothing sensitive is exposed to the internet, traffic is segmented and filtered, and even managed services participate in the same private, controlled network the administrator designs.

Private access to PaaS
make it private
Private Endpoint
private IP in your VNet
disable public access
no internet path to the service
Private DNS zone
names resolve to the private IP
enforce it
Azure Policy
deny/flag public access at scale
Private Endpoint plus disabled public access means a leaked key cannot reach the service. Enforce it estate-wide with Azure Policy.
A Private Endpoint alone does not remove public access
Adding a Private Endpoint but leaving public network access enabled means the service is still reachable from the internet — the private path is merely optional. Always pair the endpoint with public-access Disabled (or a deny default action) so the only route to the service is through your VNet.