Author : MD TAREQ HASSAN | Updated : 2021/04/15

See: Benefits of Azure Private Link

Azure Private Link is a secure and scalable way to create, share, and connect to Azure. All data that flows from a provider to a consumer is isolated from the internet and stays on the Microsoft back end.

Notes:

Private Endpoint

Diagram of Private Endpoint for Web App

[Image courtesy: Microsoft Doc.]

Notes:

Limitations of Private Endpoint:

More:

Private link center in Azure protal

For PaaS services i.e. Azure storage account, Private Link Service is eanbled and therefore all you need to do to allow access vNet to storage account:

Service Endpoint

Use case:

A virtual machine (VM) in a VNet that needs to communicate with an Azure storage account. 
You can combine a service endpoint, storage account, and NSG so that traffic from a VM in a private subnet reaches 
the storage account without hitting the internet, the storage account blocks all traffic unless it's from that subnet, 
and the NSG restricts outbound traffic from the subnet to the internet.

Why to use Service Endpoint in the above use case?

Example: creating Service Endpoint for storage account

Notes:

Service Tag

Example: block internet access and allow storage account access using NSG rules (2 rules) with service tag for a VM

Source: VirtualNetwork
Destination: Service Tag
Destination service tag: Storage
Destination port ranges: * (asterisk)
Action: Allow
Priority: 100

Source: VirtualNetwork
Destination: Service Tag
Destination service tag: Internet
Destination port ranges: * (asterisk)
Action: Deny
Priority: 110

VNet Integration

Note: Some services are natively deployed within a Virtual Network, so there’s no need for VNet Integration or private endpoints

Subnet Delegation

Private Endpoint vs vNet Integration

Security Hierarchy

Subnet delegation: puts PaaS service into my VNet (i.e. SQL Server Managed Instance)
  Private Endpoint (Private Link): vNet private IP -> PaaS service private IP
    Service Endpoint: vNet private IP -> PaaS service public IP

Managed Identity

Azure Managed Identity

Securely Access Azure SQL Database

See: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app#sql-database-firewall-options