Azure VNet Peering vs Private Endpoint: When should each be used?

Ellyn Liu 30 Reputation points ā€¢ Microsoft Employee ā€¢ Moderator

Iā€™m designing network connectivity between multiple Azure resources and Iā€™m trying to understand when I should use VNet Peering versus Private Endpoints.

Specifically, I have:

  • Multiple virtual networks in the same Azure region
  • An App Service and an Azure SQL Database
  • A requirement to keep traffic off the public internet and minimize exposure

I understand that:

  • VNet Peering connects two VNets so resources can communicate using private IPs
  • Private Endpoints expose a PaaS resource through a private IP in a VNet via Private Link

What Iā€™m unclear about is:

  • When is VNet peering not sufficient or recommended?
  • Are there security or cost trade-offs between peering and private endpoints?
  • In a hub-and-spoke architecture, is it common to use both together?
0 comments No comments
Sign in to comment

Answer accepted by question author

Venkatesan S 9,305 Reputation points ā€¢ Microsoft External Staff ā€¢ Moderator

Hi Ellyn Liu,

Thanks for reaching reaching out in Microsoft Q&A forum,

When is VNet peering not sufficient or recommended?

  • VNet peering provides efficient connectivity between virtual networks using private IP addresses over Azure's backbone network, but it is not sufficient for PaaS services like Azure SQL Database or App Service.
  • These resources maintain public endpoints by default, which peering alone cannot fully privatize or isolate at the service level. Private Endpoints are recommended instead to assign a dedicated private IP within your VNet, eliminating public exposure entirely.

Are there security or cost trade-offs between peering and private endpoints?

  • On security, Private Endpoints are the champ for PaaS they stick a dedicated private IP you can firewall with NSGs just for that service, keeping randos out. Peering secures the pipes between VNets but let's traffic roam more freely unless you layer on heavy NSG or firewall rules more work, less precise for your SQL setup.
  • Costs shake out like this: peering's dirt cheap, just $0.01 per GB of data flying around, no monthly hit. Private Endpoints tack on about $7 a month per one, plus the same data fee pricey if you've got tons of PaaS endpoints, but you pay for the extra safety net.

In a hub-and-spoke architecture, is it common to use both together?

Using both is standard in hub-and-spoke: peer spokes to hub for centralized inspection/routing, deploy Private Endpoints in hub (or spokes) for PaaS like SQL, ensuring spoke access remains private via peering paths.

Reference:

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to šŸ‘ 210246-screenshot-2021-12-10-121802.png
and ā€œup-voteā€ wherever the information provided helps you, this can be beneficial to other community members.

0 comments No comments
Sign in to comment

0 additional answers

Sign in to answer

Your answer