This is an incredibly well done video that clearly explains the feature, use case and even where the feature can't be used and what could be used instead. I'm now a subscriber and will be looking forward to more of your videos in the future!

Brilliant, creative, and informative. This is how teaching should be done, always starting with the use case and ending with the solution or feature

Don't have word to praise you buddy. Totally awesome... Thanks a lot.

Loved your explanation using real world examples, nicely done!

Great content.very well explained....keep going...u r the gem in teaching

The narrator mentions 'azure sql' but that isn't displayed. Is he referring to the blob storage? If yes then he should use consistent terminology in the video

great work brother... #respect

The background music made me feel like in kindergarden :D,I really needed simple explanation. thank you:D

Great explanation. well structured with explanation of why and how. One question when you define Service end ponint policy, you dont need to attach it to storage?

Good quality stuff, thanks

How can the VM make outbound connection to internet, when the NSG is only allowing outbound traffic to storage account

Good.. I have a doubt with service endpoint, can we not directly allow subnet in the firewall. Then any requests which is getting into storage account will have access from the subnet

Why route the traffic from the webserver through on-premise in the first place? Why not create another subnet, with a public internet facing firewall and have it route through that?

4:46 Why would the VM start connecting to public internet suddenly. Can anyone explain?

At 4:37, you mentioned that the communication between VM and blob storage happens over Microsoft backbone. I have a question here. Do you mean to say that adding the client IP address of VM as a firewall rule in storage account, will automatically route the traffic through Microsoft backbone? What if the client IP address I am adding in the firewall rule is the IP address of my PC at home? In that case also, will the communication happen over Microsoft backbone? Sorry, I am little confused here.

Great Job!

Thanks Sir, Simple and precise explanation. is it possible to share the name of software you used to create this video? Also do you have a video showing the one to one mapping of traditional network and azure virtual network as it is a bit confusing to understand?

How does the VM make outbound connections to the internet after you add a rule to allow 443 to Storage.EastUS? The next rule denies all outbound to the Internet. So if they traffic isn't 443, or isn't destined for Storage.EastUS it will be denied.

Wow!!!!

This is really good. My only suggestion is to remove the music in the background. You have a clear way of explaining and the music is distracting

As you stated, a video explained in plain English with a wonderful use case demo. The question I have is what service would I used if I want to limit access to the storage account from the subnet in the VNET and also allow public access locked down via ACL? Would that be where private endpoint/link is used? To clarify, is Service endpoint only used when you want to eliminate public access to the storage account? Thx again!

I'm thinking "how would I explain service endpoint to my grandma" - and I see this. Brilliant video - simple, crisp and beautifully narrated !

Great Explanation, thank you very much! I have a question, In the last scenario before defining the "Service Endpoint Policies", how can a VM connect to any storage resource within the region? we had to make a step of adding the Vnet to the storage instance in our RG, and we didn't do it for any other storage resource, so how will it be able to connect to other? Thanks!

You made a super clear, easy-to-understand video. I watched the private link video too and subscribed your channel. I can't thank you enough. You are awesome.

@cloud-monk this is a great video. Wondering if you are still active? Regarding the exfiltration service policy, if I have multiple Azure subscriptions, will the service policy work if the storage exists in a different subscription? In the example you showed, the service policy allows for single storage account or all storage accounts or storage accounts related to a resource group. Appreciate your feedback.

Once Service Endpoints are enabled, is it must to add an NSG Outbound entry to destination "Storage.Region" if I have an outbound block to any destinations in my NSG? My NSG currently blocks all outbound traffic and then allows outbound traffic only to a set of known Private IP subnets. Also, what about some storage accounts which get created when enabling certain services in Azure (eg. boot diagnostics). How would I know where the data is coming from to these Storage Accounts? Simply put, my situation is, I have several storage accounts that are created in the past, and now I need to limit access to them from my Vnets without hitting the public internet. I am afraid that enabling service accounts might disrupt something as I am not very sure what writes data to those storage accounts as some of them were created by a previous Azure Administrator who worked with the company before I joined.

Amazing Videos Sir and thanks a lot for providing the same to us ok n free. Sir Could you please create some detailed videos on RBAC, Azure Internet Net and Troubleshooting. By troubleshoot i mean if i am not able to communicate to some virtual machines or any services or any outside network, how to troubleshoot using Azure tools. It would be a great help sir 🙂. pl. Stay Safe..!!

At 4:56,you said that vm making outbound calls to the public internet. How can that be possible,since you defined only 1 rule to access storage account and all other internet outbound is blocked by your NSG rules.

I must say Anand since the time you have stopped making videos Azure has become complex for us. please get back soon. your Fan !

What a video, excellent work anand , keep your great working coming , thanks a ton for making this video sharing.

Unexpectedly amazing lesson! I'm glad I accidentally came across it! Well done.

Very good visuals. Do you have similar video on Private Link service and private endpoint?

Really good explanation with subtle hints on the routing preference in Azure plus the benefit if locking down PaaS access with the help of outbound NSG rules. Visuals help a broad range of audience as well

Too complicated and sjitty explaination. Bwahah

How is a service-endpoint-policy tied to a specific service-endpoint ?

I am amazed by the ease with which you have explained it. Would you mind answering the following questoin. As soon as we add a service endpoint for a PaaS service, does that service gets allocated in one of the subnet of the virtual network or its IP is still out of the Virtual Network ?

Excellent explanation! Thank you so much!

Awesome explanation and very creative way to explain. Thank you!

Hi quality video content and hope you make more frequent Azure videos like this one. Many thanks 😊👌

Thank You for your precious 5 mins video..

Hello. How to undo the process? I have tried to create a service endpoints and it was successfully deployed, however, when I tried to undo the process because I wanted to access file share storage again via public ip address I can't access it anymore even though I deleted the vnet and service endpoints. Also I have tried to create new file share it doesn't allow me to create a new one. Hope you can help me. Thank you.

Really nice video...keep up the good work!

I LOVE ridiculously simple! It is so effective and efficient to teach after building a foundation of understanding the "why". Great job Anand, thank you!

Great video... 11 minutes though :)

can you make a video on the forced tunneling route to route all azure internet request to go through on-prem?

subscribed

Please keep posting such informational videos regularly 👍🏼

Fantastic job with this video mate. If you keep this quality up, your channel will definitely grow!

Very handy. Thanks for creating and sharing.

at 5:00 can't we restrict the outbound connections from vm to the public internet?

brilliantly explain!!!🤩

I have 2 questions: 1:27, the Private IP of the VM is translated to Public Ip due to a NAT gateway? 4:47, VM is making outbound calls to the internet but NSG has a deny outbound rule for public internet.

Except for private link / private endpoint, according to MS document, you can also use NAT IP addresses to access service endpoints (for Azure Storage) from on premise network.

What is private endpoint?

Excellent Job ! Thanks for sharing the info. Please keep making more videos.

too deep for me to understand

Man I can't believe how you can make things so clear in your head prior to creating this content. You're some kind of training genius.

well done! The explanation is simply straightforward! Subscribed!

Great explanation.

Love you monk. :)

Hi, Firstly thank you for the very simple explanation of service endpoints. I had a question regarding 1 point that you mentioned in your video, that if i implement forced tunneling , the traffic from the subnet to the azure service will also be routed to onpremise. However the microsoft documentation states that service endpoints always take the optimal route , and the traffic is sent directly from the subnet to the azure service even if there is forced tunelling implemented, thus the traffic does not have to leave the microsoft azure backbone network.

good one

Excellent video - thank you

data exfiltration! oh crap! I'll never forget what I've learnt in this video 🤣👍

thank you

very well explained . best part is the used case which for newbee's like me at times is difficult to comprehend .

Super ..

super clear. what are the editing tools used ? The pictures, diagrams look so simple and intuitive

just amazing explanation!!

Excellent! Congratulations for this amazing explanation!

Great vid, was very easy to follow, appreciate you taking the time to put this together. The only question I had was when you gave the example of egress traffic you specified in the outbound rules to allow storage traffic which you said traversed the Azure backbone network but then mentioned other traffic leaving the VM for the internet. In your outbound ACL it looked like you had that locked down so I was wondering how that would be possible, wouldn't the ACL stop any other traffic egressing to the inet from the VM?

Thanks. Great video. My question is do you need to link the endpoint service policy to the subnet or end point service? If not, how does the endpoint service policy know which subnet to apply?

No words for this amazing stuff. I was just wondering if you conduct online trainings too. Pls reply. Thnks

Hi Anand, really liked your video and the way you explained. You are doing amazing work.

Just loved the simplicity!!!

awsome! very well explained!

Superb pin to pin explanation I am new to Azure and your explanation is just wow!!! can you please post videos on Azure probably more focused on Certification and concepts.

Thank you so much! Amazing explanation!

This is one of most simple and helpful video to learn! Thank you!!

This is an awesome explanation. Thank you so much for this.

@1:04 "And the azure sequel does not" Why is azure sql mentioned here?