Today was the day where I again focused the challenge on some real Azure network basics. What is the difference between Service Endpoint, Private Endpoint and Private Link Service? All three methods are different ways to secure PaaS resources and integrate them into the Azure network but it is quite hard to separate them.

To don’t face this challenge again in a few weeks and also to make it easy for others to understand the differences of the service, I decided to describe them in a really short and easy way.

Service Endpoint

• Traffic to the PaaS resource is routed via the Microsoft Backbone.
• The traffic leaves the virtual network and uses the public endpoint of the PaaS resource.
• The public endpoint of the PaaS resource therefore still persist.
• The traffic, which shall be accepted can be configured on the resource itself.
• More details: Azure virtual network service endpoints | Microsoft Docs

Private Endpoint

• The PaaS resource gets an private IP address within the virtual network.
• The PaaS resource gets his own network interface and is therefore fully integrated.
• The public endpoint is no longer available.
• By integrating a resource with a private endpoint, it can also be accessed from peered networks as well as from on-premises resources connected to your Azure network.
• Traffic sent to the PaaS resource does not leave the virtual network.
• Network security components like Network Security Groups (NSGs) and firewalls can be used to restrict the traffic from the source.
• More details: What is an Azure Private Endpoint? | Microsoft Docs

Private Link Service

• Offers the ability to publish Azure resources or a service on a private way in the own environment or with third parties.
• Third parties or consumer can use the private link service to create a private connection to this resources via a private endpoint.
• The connection can be across Azure tenants.
• More details: What is Azure Private Link service? | Microsoft Docs