Hey everyone! Quick question here. If I have a service that uses a private endpoint (let's call it Service B, which could be a function app or logic app) and it doesn't have any public access, do I need to ensure that anything connecting to it, like Event Grid or other services, is also set up with a private endpoint? Or is it possible for them to connect if Service B has public access instead? Just trying to clarify this!
5 Answers
Yes, that's correct! If Service B only has a private endpoint, then any services connecting to it need to have private endpoints too, unless Service B allows public access or is recognized as a "trusted" service in Azure. If it does have public access, that opens up the accessibility to those external services.
Just a note: Private endpoints are typically inbound only. You can still connect via services that use VNet integration or even on-prem solutions. Plus, things like service endpoints or trusted services using the Azure backbone might work too. It all depends on what you're connecting from!
Don't forget to add private DNS records as well! It's crucial for proper resolution when using private endpoints.
Exactly! If Service B has public access, then services connecting to it don't need private endpoints. However, if it’s fully private and doesn't provide public access, all connecting services like Event Grid must also be on private endpoints to resolve addresses correctly. It's all about ensuring secure communication between your services.
So if both public and private access is available, it caters to both needs? Also, in my situation, Service A doesn't allow a private endpoint, so I assume Service B has to go public, right?
Usually, yes, but there are exceptions! For example, some trusted services can connect without needing a private endpoint if you grant them access. Also, diagnostic settings might auto-connect even if no public access is available, pushing logs as needed. There might be other unique cases as well!
Right, but that kind of defeats the purpose of having a private endpoint, doesn't it?