Cyber Intelligence
PROTEGO
Cloud Security6 min read

Private Endpoints & Service Endpoints: AZ-500 Deep Dive

Private Endpoints and Service Endpoints both restrict Azure PaaS access to your VNet, but they work completely differently. The AZ-500 exam tests which to use when, and Private DNS Zone configuration is a favourite question topic.

I
Idan Ohayon
Microsoft Cloud Solution Architect
AZ-500Private EndpointService EndpointAzure NetworkingPrivate DNSCertification

Service Endpoints vs Private Endpoints

FeatureService EndpointsPrivate Endpoints
Traffic pathStays on Azure backbone, exits via public IPPrivate IP in your VNet: never uses public IP
DNSService resolves to public FQDNService resolves to private IP via Private DNS Zone
CostFreeCharged per endpoint plus data processing
Access from on-premisesNo (VNet only)Yes (via ExpressRoute/VPN)

Private Endpoint Architecture

A Private Endpoint creates a NIC in your subnet with a private IP. Azure maps the service's public FQDN to this private IP via a Private DNS Zone.

Required setup:

  1. Create the Private Endpoint (NIC is injected into your subnet)
  2. Create a Private DNS Zone (for example, privatelink.blob.core.windows.net for Storage)
  3. Link the Private DNS Zone to your VNet
  4. Add an A record: storage-account-name to private IP
Exam tip: Without the Private DNS Zone, clients resolve the storage FQDN to the public IP and bypass the private endpoint entirely: even if the storage firewall denies public access.

When to Use Which

Use Service Endpoints when:

  • You only need VNet-to-service traffic (on-premises is not a requirement)
  • Cost is a concern
  • The service is in the same region

Use Private Endpoints when:

  • On-premises systems need to reach the service
  • You need the service to be completely removed from the public internet
  • Regulatory requirements mandate private-only connectivity

Exam Trap: Disabling Public Access

Setting a Storage Account to "Disable public network access" means ALL traffic including from trusted VNets via Service Endpoints is blocked. Only Private Endpoint traffic bypasses this restriction.

N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

☁️
Cloud Security

Microsoft Security Score: How to Actually Improve It (Not Just Game It)

17 min read

☁️
Cloud Security

Microsoft Defender for Identity vs Defender for Endpoint: What They Actually Cover

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us