Virtual network service endpoints

Use virtual network service endpoints to extend your private address space in Azure
by providing a direct connection to your Azure services. Service endpoints let you
secure your Azure resources to only your virtual network. Service traffic will remain
on the Azure backbone and doesn't go out to the internet.

Service endpoints can connect certain PaaS Services directly to your private address
space in Azure, so they act like they’re on the same virtual network. You use your
private address space to access the PaaS services directly. Adding service endpoints
doesn't remove the public endpoint. It simply provides a redirection of traffic.

Azure service endpoints are available for many services, such as:

 Azure Storage
 Azure SQL Database
 Azure Cosmos DB
 Azure Key Vault
 Azure Service Bus
 Azure Data Lake

To enable a service endpoint, you must do two things:

1. Turn off public access to the service.

2. Add the service endpoint to a virtual network.

When you enable a service endpoint, you restrict the flow of traffic, and allow your
Azure virtual machines to access the service directly from your private address space.
Devices cannot access the service from a public network.

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a
private connection facilitated by a connectivity provider. Azure ExpressRoute provides
dedicated private connectivity to Azure that does not travel over the Internet.

Protect your shared documents

Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based
solution that helps organizations classify and optionally protect documents and emails by
applying labels.

Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that
identifies, detects, and helps you investigate advanced threats, compromised identities, and
malicious insider actions directed at your organization.

25 | P a g e