Service Endpoints vs Private Links in Azure

Oct 10, 2021 · 3 mins read · Post a comment

Microsoft Azure provides many options to approach networking, starting from Azure VPN, ExpressRoute, Azure Route Server, NVAs, and others. These are more likely to be implemented in the IaaS world. But, when it comes to PaaS, there are two services or solutions which could help us limit the access to certain resources, the Service Endpoints and Private Links.

Today’s focus will be on these two services and their key differences.

Service Endpoints

Service Endpoints allow direct and secure connectivity between resources in our VNETs and an Azure PaaS resource by using the Azure backbone network.

Even though the traffic leaves the VNET and hits the publicly available PaaS endpoint, we don’t need to have a public IP on the VNET side, since the PaaS resource works with the VNET’s private IPs.

Once we enable the Service Endpoint for a specific VNET, or subnet, as a next step, we should restrict the access to the PaaS resource from these VNETs or subnets, which means it removes the complexity of keeping up-to-date IP whitelist.

As of October 2021, Service Endpoints currently supports the following Azure services:
Azure Storage, all managed Azure Database services including CosmosDB, Azure Synapse Analytics, the Key Vault, Azure Service Bus, Event Hubs, App Services, Azure Cognitive Services, Data Lake Store Gen 1, and lately the ACR being in public preview.

Now, with Private Links, being a newer solution, it brings the PaaS resource to our VNET, by mapping the PaaS resource endpoint to a private IP from the VNET itself. This way, the PaaS resource endpoint is no longer exposed over the public internet, and the traffic doesn’t leave the VNET as well. If you need the DNS endpoint, instead of the private IP, Azure Private DNS supports this kind of integration.

You could even access the PaaS resource from an on-premise infrastructure, using ExpressRoute or Azure VPN.

Key Differences


  • Service Endpoints are exposed over the internet, which requires additional protection like Firewall implementation. Traffic leaving the VNET, means risk of eavesdropping.
  • Private Links takes the public endpoint out of the equation, and you could even control the egress traffic.


  • Service Endpoints are much easier for implementation.
  • Private Links requires additional configuration, like handling the mappings between your VNET resources and the PaaS resource.


The bandwidth and latency should be quite similar, since the traffic doesn’t leave the Azure backbone network, unless you are trying to access the resources from on-premise via Private Link and ExpressRoute or VPN, which could add extra ms.


  • Service Endpoints doesn’t cost anything.
  • Private Links includes runtime, inbound and outbound traffic costs.

Service Availability

At the time of writing, Azure Private Links are supported by more services than Service Endpoints.


With all that being said, Private Links are much better solution than Service Endpoints, so choosing Private Links is a no-brainer, just my 2 cents. On the other hand, it feels like Service Endpoints are or might be handled as a legacy thing in a near future.
Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.