What is Private Endpoint?
- A private endpoint is a network interface in a subnet that connects privately to the Azure service powered by Private Link by using a private IP of that virtual network.
- This approach is commonly used when organizations want to access PaaS services privately from Azure virtual machines, peered virtual networks, or on-premises networks connected through VPN or ExpressRoute, while reducing exposure to the public internet.
- Typical use cases contain accessing Azure SQL Database privately from an application subnet, exposing Azure Storage only to internal workloads, and securing sensitive services such as Key Vault for regulated or internal-only workloads.
- In hub-and-spoke designs, private endpoints are also popular because they let application teams consume shared Azure services over private IP addressing instead of relying on public access and service-level firewall rules.
What is the default behavior with NSG and private endpoint?
The NSG and route policies for private endpoints are disabled on the subnet by default, so traffic to a private endpoint is not filtered by NSG rules on that subnet unless private endpoint network policies are explicitly enabled.
This design exists because Azure automatically creates system-generated routes for private endpoints, and these routes direct traffic straight to the private endpoint.
In practice, that means a workload can reach the private endpoint even if the subnet NSG appears restrictive, because the private endpoint subnet does not evaluate NSG rules by default. It also means user-defined routes and network virtual appliances are not inserted into the traffic path for that private endpoint traffic unless the relevant private endpoint network policies are turned on for the subnet.
Private endpoint network policy option
Azure supports subnet-level private endpoint network policies, and they can be configured so that NSG support is enabled, UDR support is enabled, or disabled.
- Disabled.
This is the default behavior for most deployments. With the policy disabled, NSGs and user-defined routes do not apply to private endpoints in that subnet, and Azure keeps using the system-created routing behavior to send traffic directly to the private endpoint.
- Network Security Groups.
This option enables NSG evaluation for private endpoints in the subnet while leaving routing behavior otherwise unchanged. It is useful when the goal is to allow or deny traffic to the private endpoint by source, destination, port, and protocol without redesigning the route path through another hop. - Route tables only, or both NSG and route tables.
Azure also allows route table support only, or both route tables and NSGs together, so organizations can steer private endpoint traffic through an approved inspection path while also applying security filtering at the subnet level. This is especially relevant in environments that use Azure Firewall or another network virtual appliance and need private endpoint traffic to follow custom routing.
The Practice.
Use private endpoints for services that should not be reachable over the public internet, especially data services such as Azure SQL, Storage, and Key Vault. Create dedicated subnets for private endpoints where possible, because that keeps policy behavior clear, simplifies operations, and helps avoid mixing application NICs and endpoint NICs in the same subnet. instead of the default /32 route preference.
Leave private endpoint network policies disabled unless there is a clear requirement to apply NSGs, UDRs, or traffic inspection to the endpoint subnet. When policies are required, test the routing path carefully, because private endpoint traffic and return traffic can behave differently than regular VM-to-VM flows, especially in hub-and-spoke environments with peering and Azure Firewall.
References
https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal