Azure Networking: Private Link, Service Endpoints, and Bastion

Quick Answer: Private Link = a PaaS service gets a private IP inside your VNet (a private endpoint); traffic stays on the Microsoft backbone. Service Endpoint = the service keeps its public IP but only accepts traffic from your VNet (and it is free). Azure Bastion = browser-based RDP/SSH over TLS to VMs with no public IP and no open management ports.

Azure Private Link and private endpoints

By default an Azure PaaS service such as Storage or SQL Database has a public endpoint. Azure Private Link removes that exposure by creating a private endpoint — a network interface card with a private IP from your subnet that maps to a specific resource.

How it works

• The private endpoint gets a private IP from your VNet's address space.
• Traffic from your VNet to the service stays entirely on the Microsoft backbone network — it never traverses the public internet.
• The service is no longer reachable from the public internet through that endpoint, so there is data-exfiltration protection: the endpoint maps to one specific resource, not the whole service.
• Private DNS resolves the service FQDN to the private IP, so existing connection strings keep working.
• On-premises systems can reach the private endpoint over VPN Gateway or ExpressRoute.

VNet Service Endpoints

A Service Endpoint extends your VNet identity to an Azure service over an optimized route. The service still uses its public IP, but its firewall can be configured to accept traffic only from your chosen subnets. There is no per-hour or per-GB charge.

Private Link vs. Service Endpoints

Worked example: A healthcare app stores patient records in Azure SQL Database and must guarantee that the database is unreachable from the public internet. A Service Endpoint still leaves the database on a public IP (just firewalled), which auditors may reject. A private endpoint gives the database a private IP inside the VNet and is the correct, audit-friendly choice.

Azure Bastion

The classic way to administer a VM is to give it a public IP and open RDP (3389) or SSH (22). That is a large attack surface and a common breach vector. Azure Bastion is a fully managed, platform-as-a-service jump host that you deploy into the VNet.

How it works

1. Deploy Bastion into a dedicated subnet named AzureBastionSubnet (the name is required, minimum /26).
2. From the Azure portal, click Connect on any VM in that VNet or a peered VNet.
3. RDP/SSH runs over TLS inside your browser — no client install, no public IP on the VM.
4. Inbound 3389/22 stay closed to the internet; Bastion is hardened and patched by Microsoft.

Where these fit in defense in depth

These three features each remove a different attack surface, and the exam likes to test which one solves a given problem. Think of them as layers:

Decision flow for a PaaS access question: If the requirement is "the service must have no public exposure" or "on-premises clients must reach it privately over ExpressRoute," the answer is Private Link. If the requirement is merely "lock the service down to our VNet" and cost is a concern, a Service Endpoint is sufficient and free. If the wording mentions data-exfiltration protection or a specific single resource, that strongly signals Private Link, because a private endpoint maps to one resource while a Service Endpoint opens the whole service type.

Bastion versus a public IP: Before Bastion, admins gave VMs public IPs and opened RDP or SSH, which exposed them to constant internet port scanning and brute-force attacks. Bastion lets you delete the public IP and keep inbound 3389/22 closed entirely; the only path in is an authenticated portal session over TLS. That dramatically shrinks the attack surface while keeping day-to-day administration simple.

On the Exam: "Reach a PaaS service over a private IP, no internet" = Private Link / private endpoint. "Restrict a service to my VNet but keep its public IP, no cost" = Service Endpoint. "RDP/SSH to a VM without a public IP or open ports" = Azure Bastion. "Data-exfiltration protection to one resource" = Private Link.