Introduction

In this blog post we’ll cover what an endpoint is, the difference between public and private endpoints, why private endpoints are more secure, and specifically what is an Azure Private Endpoint. If you’d like to know how to deploy and configure an Azure Private Endpoint, follow my 7 Step Guide in this blog post..

What is an endpoint?

It’s important to note that in this blog post we’ll be talking about IP endpoints, although there are other types.

So, what exactly is an endpoint? Well, I asked ChatGPT and this is what it came up with:

An IP endpoint refers to a unique network address that identifies a specific device or application on a network.

It is composed of an IP address and a port number.

The combination of the IP address and the port number creates a unique endpoint that can be used for communication and data transfer between devices over a network.

Essentially, an endpoint represents a device which is connected to a network, which itself is represented by an IP address and a port number, and facilitates communication to other devices on the network.

Port numbers are beyond the scope of this post, as you don’t need to know about them in order to set up a Private Endpoint, however we will be focusing on IP addresses.

Public vs. Private Endpoints

When talking about endpoints, and specifically thinking about endpoints of Azure PaaS (Platform-as-a-Service) services, they fall into two main categories:

Public Endpoints;
Private Endpoints.

The literal different between these two types of endpoints is quite simple: a Public Endpoint is represented by a public IP address and a Private Endpoints is represented by a private IP address.

Public IP addresses are globally unique; once a public IP address has been assigned to a public endpoint, this IP address can no longer be used for anything else. This is why we are running out of IPv4 IP addresses! However, private IP addresses need only be locally unique within a particular private network.

If both Alice and Bob own a private network under the address space 10.0.0.0/26 (which has the IP range 10.0.0.0 to 10.0.0.63), then the IP address 10.0.0.5 would represent a different endpoint in Alice’s network compared to Bob’s.

Why are Private Endpoints more secure?

The two pieces of information we need to consider are:

The availability of the location information of the endpoint;
The accessibility of the endpoint.

With public endpoints, firstly, the location information of the endpoint is publicly available. This is because it is represented by a public IP address, which is resolvable from the public internet. You can find out the public IP address (or addresses) associated with any public endpoint - that is publicly available information. Secondly, by default, anyone on the public internet has access to this endpoint.

Now, before we talk about private endpoints, I want to touch on an option which you may have seen on your Azure PaaS resources, which is using the public endpoint with “Allow access from selected networks” enabled.

Since this option is still referring to the public endpoint, we know that the location information of this endpoint is still publicly available. However, having this option enabled means we can restrict access to the endpoint to pre-selected networks and/or IP addresses. Think of this as a guest list only option!

So what extra security measures does using a private endpoint give us? Well the key difference with a private endpoint is that due to it being represented by a private IP address, the location information of this endpoint is not publicly available. The IP address is not resolvable from the the public internet. Further to this, you can only access the endpoint from within the private network itself.

Public Endpoints vs Private Endpoints — Public Endpoints vs Public Endpoints with Selected Networks enabled vs Private Endpoints.

Hopefully you can now see why using a private endpoint is much more secure.

What is an Azure Private Endpoint?

An Azure Private Endpoint is an Azure Resource in its own right. By default, Azure PaaS services are deployed with a public endpoint. If you want to disable public access and use a Private Endpoint instead, you must actually deploy your own Private Endpoint Resource and associate it with the PaaS resource you want to use it for.

Unfortunately, it isn’t quite as simple as that to get it working! If you are interesting in learning how to successfully deploy and configure an Azure Private Endpoint, check out my 7 Step Guide.