This is an incredibly well done video that clearly explains the feature, use case and even where the feature can't be used and what could be used instead. I'm now a subscriber and will be looking forward to more of your videos in the future!

I'm thinking "how would I explain service endpoint to my grandma" - and I see this. Brilliant video - simple, crisp and beautifully narrated !

You made a super clear, easy-to-understand video. I watched the private link video too and subscribed your channel. I can't thank you enough. You are awesome.

Man I can't believe how you can make things so clear in your head prior to creating this content. You're some kind of training genius.

I LOVE ridiculously simple! It is so effective and efficient to teach after building a foundation of understanding the "why". Great job Anand, thank you!

Please keep posting such informational videos regularly 👍🏼

Don't have word to praise you buddy. Totally awesome... Thanks a lot.

Brilliant, creative, and informative. This is how teaching should be done, always starting with the use case and ending with the solution or feature

What a video, excellent work anand , keep your great working coming , thanks a ton for making this video sharing.

Fantastic job with this video mate. If you keep this quality up, your channel will definitely grow!

Really good explanation with subtle hints on the routing preference in Azure plus the benefit if locking down PaaS access with the help of outbound NSG rules. Visuals help a broad range of audience as well

Just loved the simplicity!!!

Thank You for your precious 5 mins video..

Unexpectedly amazing lesson! I'm glad I accidentally came across it! Well done.

well done! The explanation is simply straightforward! Subscribed!

Awesome explanation and very creative way to explain. Thank you!

Excellent explanation! Thank you so much!

As you stated, a video explained in plain English with a wonderful use case demo. The question I have is what service would I used if I want to limit access to the storage account from the subnet in the VNET and also allow public access locked down via ACL? Would that be where private endpoint/link is used? To clarify, is Service endpoint only used when you want to eliminate public access to the storage account? Thx again!

At 4:37, you mentioned that the communication between VM and blob storage happens over Microsoft backbone. I have a question here. Do you mean to say that adding the client IP address of VM as a firewall rule in storage account, will automatically route the traffic through Microsoft backbone? What if the client IP address I am adding in the firewall rule is the IP address of my PC at home? In that case also, will the communication happen over Microsoft backbone? Sorry, I am little confused here.

Great Explanation, thank you very much! I have a question, In the last scenario before defining the "Service Endpoint Policies", how can a VM connect to any storage resource within the region? we had to make a step of adding the Vnet to the storage instance in our RG, and we didn't do it for any other storage resource, so how will it be able to connect to other? Thanks!

Loved your explanation using real world examples, nicely done!

Really nice video...keep up the good work!

very well explained . best part is the used case which for newbee's like me at times is difficult to comprehend .

brilliantly explain!!!🤩

I have 2 questions: 1:27, the Private IP of the VM is translated to Public Ip due to a NAT gateway? 4:47, VM is making outbound calls to the internet but NSG has a deny outbound rule for public internet.

just amazing explanation!!

Excellent! Congratulations for this amazing explanation!

Great content.very well explained....keep going...u r the gem in teaching

At 4:56,you said that vm making outbound calls to the public internet. How can that be possible,since you defined only 1 rule to access storage account and all other internet outbound is blocked by your NSG rules.

Excellent Job ! Thanks for sharing the info. Please keep making more videos.

I am amazed by the ease with which you have explained it. Would you mind answering the following questoin. As soon as we add a service endpoint for a PaaS service, does that service gets allocated in one of the subnet of the virtual network or its IP is still out of the Virtual Network ?

Hi Anand, really liked your video and the way you explained. You are doing amazing work.

This is one of most simple and helpful video to learn! Thank you!!

Great explanation.

Very handy. Thanks for creating and sharing.

Very good visuals. Do you have similar video on Private Link service and private endpoint?

great work brother... #respect

awsome! very well explained!

Hi quality video content and hope you make more frequent Azure videos like this one. Many thanks 😊👌

@cloud-monk this is a great video. Wondering if you are still active? Regarding the exfiltration service policy, if I have multiple Azure subscriptions, will the service policy work if the storage exists in a different subscription? In the example you showed, the service policy allows for single storage account or all storage accounts or storage accounts related to a resource group. Appreciate your feedback.

I must say Anand since the time you have stopped making videos Azure has become complex for us. please get back soon. your Fan !

Thank you so much! Amazing explanation!

This is an awesome explanation. Thank you so much for this.

Great explanation. well structured with explanation of why and how. One question when you define Service end ponint policy, you dont need to attach it to storage?

Excellent video - thank you

at 5:00 can't we restrict the outbound connections from vm to the public internet?

Hi, Firstly thank you for the very simple explanation of service endpoints. I had a question regarding 1 point that you mentioned in your video, that if i implement forced tunneling , the traffic from the subnet to the azure service will also be routed to onpremise. However the microsoft documentation states that service endpoints always take the optimal route , and the traffic is sent directly from the subnet to the azure service even if there is forced tunelling implemented, thus the traffic does not have to leave the microsoft azure backbone network.

4:46 Why would the VM start connecting to public internet suddenly. Can anyone explain?

Good quality stuff, thanks

Except for private link / private endpoint, according to MS document, you can also use NAT IP addresses to access service endpoints (for Azure Storage) from on premise network.

Great vid, was very easy to follow, appreciate you taking the time to put this together. The only question I had was when you gave the example of egress traffic you specified in the outbound rules to allow storage traffic which you said traversed the Azure backbone network but then mentioned other traffic leaving the VM for the internet. In your outbound ACL it looked like you had that locked down so I was wondering how that would be possible, wouldn't the ACL stop any other traffic egressing to the inet from the VM?

Good.. I have a doubt with service endpoint, can we not directly allow subnet in the firewall. Then any requests which is getting into storage account will have access from the subnet

Once Service Endpoints are enabled, is it must to add an NSG Outbound entry to destination "Storage.Region" if I have an outbound block to any destinations in my NSG? My NSG currently blocks all outbound traffic and then allows outbound traffic only to a set of known Private IP subnets. Also, what about some storage accounts which get created when enabling certain services in Azure (eg. boot diagnostics). How would I know where the data is coming from to these Storage Accounts? Simply put, my situation is, I have several storage accounts that are created in the past, and now I need to limit access to them from my Vnets without hitting the public internet. I am afraid that enabling service accounts might disrupt something as I am not very sure what writes data to those storage accounts as some of them were created by a previous Azure Administrator who worked with the company before I joined.

The background music made me feel like in kindergarden :D,I really needed simple explanation. thank you:D

super clear. what are the editing tools used ? The pictures, diagrams look so simple and intuitive

The narrator mentions 'azure sql' but that isn't displayed. Is he referring to the blob storage? If yes then he should use consistent terminology in the video

Love you monk. :)

Thanks. Great video. My question is do you need to link the endpoint service policy to the subnet or end point service? If not, how does the endpoint service policy know which subnet to apply?

Thanks Sir, Simple and precise explanation. is it possible to share the name of software you used to create this video? Also do you have a video showing the one to one mapping of traditional network and azure virtual network as it is a bit confusing to understand?

How can the VM make outbound connection to internet, when the NSG is only allowing outbound traffic to storage account

Superb pin to pin explanation I am new to Azure and your explanation is just wow!!! can you please post videos on Azure probably more focused on Certification and concepts.

Great Job!

Why route the traffic from the webserver through on-premise in the first place? Why not create another subnet, with a public internet facing firewall and have it route through that?

How does the VM make outbound connections to the internet after you add a rule to allow 443 to Storage.EastUS? The next rule denies all outbound to the Internet. So if they traffic isn't 443, or isn't destined for Storage.EastUS it will be denied.

can you make a video on the forced tunneling route to route all azure internet request to go through on-prem?

How is a service-endpoint-policy tied to a specific service-endpoint ?

No words for this amazing stuff. I was just wondering if you conduct online trainings too. Pls reply. Thnks

Hello. How to undo the process? I have tried to create a service endpoints and it was successfully deployed, however, when I tried to undo the process because I wanted to access file share storage again via public ip address I can't access it anymore even though I deleted the vnet and service endpoints. Also I have tried to create new file share it doesn't allow me to create a new one. Hope you can help me. Thank you.

Amazing Videos Sir and thanks a lot for providing the same to us ok n free. Sir Could you please create some detailed videos on RBAC, Azure Internet Net and Troubleshooting. By troubleshoot i mean if i am not able to communicate to some virtual machines or any services or any outside network, how to troubleshoot using Azure tools. It would be a great help sir 🙂. pl. Stay Safe..!!

data exfiltration! oh crap! I'll never forget what I've learnt in this video 🤣👍

subscribed

Great video... 11 minutes though :)

good one

thank you

@1:04 "And the azure sequel does not" Why is azure sql mentioned here?

What is private endpoint?

Super ..

Wow!!!!

I love your approach to explaing Why and How. But please get rid of the distracting cheesy music. It offers no value to an otherwise professional IT presentation. Also, I believe you have to apply the policy to 1 or more subnets for this to have any affect, right?

Too complicated and sjitty explaination. Bwahah

too deep for me to understand