Identity is a strong lock — but a strong lock on a door facing the whole internet is still a door facing the whole internet.
Azure gives you 5 ways to close that door. Here they are 👇
the isolation spectrum
Tap a node to jump to that model ↓
Five questions → five destinations. Sensitivity first, network location second, traffic pattern last.
Boxes are clickable · scroll sideways on mobile
Same map, interactive. ~30 seconds per workload.
💡 Learning mode for 1 week → read logs → add rules → then Enforced. Never skip straight to Enforced.
Five dots = maximum. Pick per workload, not per tenant.
| model | isolation | simplicity | cost | internet door |
|---|---|---|---|---|
| 🔒 Private Endpoint | $ / endpoint | CLOSED | ||
| 🛤️ Service Endpoints | free | firewalled | ||
| 🛡️ NSP | free | perimeter-ruled | ||
| 🧱 IP Firewall | free | allow-listed | ||
| 🤝 Trusted Bypass | free | MS services only |
One sentence each. Learn them here, not in an incident review.
Public access Disabled still lets trusted services through — only NSP's "Secured by perimeter" mode blocks those too.
Microsoft-hosted agents use unpredictable IPs — plan self-hosted agents in your VNet before flipping the switch.
Resource firewalls filter data traffic only — ARM management via management.azure.com passes by. You still need RBAC.
Public DNS still resolves for private-linked resources — by design. Resolving ≠ reachable. Tell your scanner team now.
Would losing this data be an incident?
Yes → Private Endpoint. Done. Don't negotiate with production data.
Where does traffic come from?
VNet → PE or Service Endpoints. Pure PaaS → NSP. Fixed IPs → firewall.
What breaks on day one?
Observe first (Transition mode / logs), tighten second. Slow is smooth.
📌 Do one thing today: open the Networking blade on your 3 most important resources. "Enabled from all networks" = your homework.