Azure Firewall serves as a critical tool for inspecting traffic to Azure services, even when using VNet Service Endpoints. As detailed in [this blog series](/2025/02/17/private-link-reality-bites-service-endpoints-vs-private-link), Private Link is usually Microsoft’s recommended approach, yet many enterprises still opt for Service Endpoints due to their own operational preferences. Inspecting these endpoints via Azure Firewall, however, comes with its own set of complexities and potential costs related to high-bandwidth and increased latency.
The post provides a comprehensive guide on configuring Service Endpoints for inspection using Azure Firewall by setting up the source as the Azure Firewall subnet. This ensures traffic is funneled through the firewall prior to reaching the Azure service. The guide also covers leveraging both Network and Application Rules, highlighting the benefits of Application Rules for preventing data exfiltration to unintended destinations.
Whether to use VNet Service Endpoints or Private Link can depend on various factors like cost. If opting for Service Endpoints, the post offers step-by-step guidance on configuring Azure Firewall for inspecting VNet traffic. This setup allows monitoring and security auditing, with practical tips and illustrations to optimize its implementation.
News: Azure Firewall and Service Endpoints
Documentation: VNet Service Endpoints Overview
