Network Security - ja-guzzle/guzzle_docs GitHub Wiki
Broadly there are three mechanisms which are available: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
- Dedicate instances of services running on specific subnet - but this only works for selected pass services (you can upfront create this vnet for particular service types and then they can be used when creating those resources or I assume even on the fly it may work where it creates dedicate
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Service end point - Here you mark a subnet to be available for specific service endpoint- and Azure ensures all the traffic goes via Azure backbone. This is two setps:
- create subnet and ensure enable service endpoints
- got to the resource and use those Vnet to access
Private link - this is more sophisticated
This explains how it works: https://docs.microsoft.com/en-us/azure/private-link/private-link-overview
The subnet you chooose for private links cannot have service end point enabled
Basically you are running a sort of end point on your Vnet which has private link to a particular instance of Azure resource (to me - it appears like NAT ing or port forwareding where you traffic will be tunned thru that private end point to the pass service)
Give more tighter control on which resources are included in the private network
Once I did this I sort of got a private IP for my SQL Server (the private end points are supported for Storate account and SQL server now)
For the new resources when you create SQL server DB (not server) it will ask you this:
And then you can select Private link