Choose the Right Isolation Model for Your Workload

Anuradha
July 14, 2026 10 mins to read
Choose the Right Isolation Model for Your Workload – Cloud Diary
#Azure #NetworkSecurity #PaaS #PrivateEndpoint #ZeroTrust
🟢 Updated for 2026 — includes Network Security Perimeter (GA)

Choose the Right Isolation Model for Your Workload

Identity is a strong lock — but a strong lock on a door facing the whole internet is still a door facing the whole internet.

Azure gives you 5 ways to close that door. Here they are 👇

the isolation spectrum

Tap a node to jump to that model ↓

Private
Endpoint
Service
Endpoints
NSP
IP
Firewall
Trusted
Bypass
← max isolation max convenience →

🗺️ The Decision Map

Five questions → five destinations. Sensitivity first, network location second, traffic pattern last.

Production workload with sensitive data? yes Private endpoint + disable public access no Workload is hosted in your Azure VNet? yes Private endpoint feasible? no Cross-PaaS isolation boundary needed? yes Private endpoint + disable public access no VNet service endpoints yes Network Security Perimeter (NSP) no Static, known egress IPs? yes IP-based firewall rules no Trusted services bypass Isolation level Highest — no internet-facing endpoint High — Azure backbone, public DNS persists High — cross-PaaS logical perimeter Medium — transitional / bounded use Low — Microsoft-managed services only

Boxes are clickable · scroll sideways on mobile

🎮 Or Let the Wizard Decide

Same map, interactive. ~30 seconds per workload.

🔒 Private Endpoint + public access disabled

isolation
simplicity
YOUR VNET Your app VM / AKS / App Svc private link PaaS resource 10.0.1.5 (private IP) Internet ☁️ public door: CLOSED
✅ prod + sensitive data ✅ compliance workloads ✅ Storage · SQL · KV · Cosmos… ⚠️ DNS setup = #1 failure point ⚠️ small hourly cost per endpoint
📍 Resource → Networking → Private endpoint connections → + Create
show the 3 commands (Storage example)
# 1. Private endpoint (swap --group-id per service: blob / vault / sqlServer…) az network private-endpoint create --name pe-mystorage -g rg-security \ --vnet-name vnet-prod --subnet snet-privatelinks \ --private-connection-resource-id $(az storage account show -n mystorage --query id -o tsv) \ --group-id blob --connection-name conn-mystorage # 2. Private DNS zone (privatelink.blob.core.windows.net / vaultcore / database…) az network private-dns zone create -g rg-security \ --name "privatelink.blob.core.windows.net" # 3. Close the public door az storage account update -n mystorage --public-network-access Disabled

🛤️ VNet Service Endpoints

isolation
simplicity
YOUR SUBNET Your app Microsoft.Storage on Azure backbone (not internet) firewall PaaS resource public endpoint kept Internet ☁️
✅ VNet workloads, PE not feasible ✅ zero extra cost, no DNS work ⚠️ public endpoint stays (firewalled) ⚠️ public DNS persists
📍 Subnet → Service endpoints → enable · Resource → Networking → add VNet
show the 3 commands
az network vnet subnet update -g rg-app --vnet-name vnet-prod -n snet-app \ --service-endpoints Microsoft.Storage Microsoft.Sql Microsoft.KeyVault az storage account network-rule add --account-name mystorage \ --vnet-name vnet-prod --subnet snet-app az storage account update -n mystorage --default-action Deny

🛡️ Network Security Perimeter NEW · GA

isolation
simplicity
ONE PERIMETER · public access denied by default Storage SQL Key Vault talk freely inside · every connection logged Public ☁️ only explicit rules get in/out
✅ PaaS ↔ PaaS outside a VNet ✅ exfiltration guard (outbound FQDN rules) ✅ audit logs built in ⚠️ check the supported-services list ⚠️ "Secured by perimeter" blocks trusted services too
📍 Portal → Network security perimeters → + Create → add resources → rules
show the commands
az network perimeter create -n nsp-production -g rg-security az network perimeter profile create -n profile-default \ --perimeter-name nsp-production -g rg-security # Associate each resource — start in Learning (Transition) mode! az network perimeter association create -n assoc-mystorage \ --perimeter-name nsp-production -g rg-security \ --access-mode Learning \ --private-link-resource "{id:$(az storage account show -n mystorage --query id -o tsv)}" \ --profile "{id:<profile-resource-id>}"

💡 Learning mode for 1 week → read logs → add rules → then Enforced. Never skip straight to Enforced.

🧱 IP-Based Firewall Rules

isolation
simplicity
On-prem DC 203.0.113.10 ✓ Unknown IP 198.51.100.7 ✗ allow-list PaaS resource default-deny on
✅ on-prem / partners with static IPs ✅ 2-minute setup, every service has it ⚠️ breaks silently when IPs change ⚠️ data plane only — ARM isn't filtered
📍 Resource → Networking → Firewalls and virtual networks → add IP
show the command
az storage account network-rule add --account-name mystorage \ --ip-address "203.0.113.10" # document WHO owns each rule — "temporary" rules live forever

🤝 Trusted Services Bypass — the escape hatch, not a model

isolation
simplicity
Azure Backup ✓ on the trusted list Azure DevOps ✗ NOT on the list firewall + gate PaaS resource everything else blocked
✅ Backup · Monitor · Disk Encryption ✅ combine with any model above ⚠️ each service has its OWN trusted list ⚠️ one checkbox — audit it regularly
📍 Resource → Networking → Exceptions → "Allow trusted Microsoft services"

📊 The Scoreboard

Five dots = maximum. Pick per workload, not per tenant.

model isolation simplicity cost internet door
🔒 Private Endpoint $ / endpoint CLOSED
🛤️ Service Endpoints free firewalled
🛡️ NSP free perimeter-ruled
🧱 IP Firewall free allow-listed
🤝 Trusted Bypass free MS services only

🪤 Four Gotchas

One sentence each. Learn them here, not in an incident review.

🚪

"Disabled" isn't fully closed

Public access Disabled still lets trusted services through — only NSP's "Secured by perimeter" mode blocks those too.

🔧

Your pipeline WILL break

Microsoft-hosted agents use unpredictable IPs — plan self-hosted agents in your VNet before flipping the switch.

🎛️

Data plane ≠ control plane

Resource firewalls filter data traffic only — ARM management via management.azure.com passes by. You still need RBAC.

👻

Private ≠ invisible

Public DNS still resolves for private-linked resources — by design. Resolving ≠ reachable. Tell your scanner team now.

💬 My 3-Question Shortcut

1

Would losing this data be an incident?

Yes → Private Endpoint. Done. Don't negotiate with production data.

2

Where does traffic come from?

VNet → PE or Service Endpoints. Pure PaaS → NSP. Fixed IPs → firewall.

3

What breaks on day one?

Observe first (Transition mode / logs), tighten second. Slow is smooth.

📌 Do one thing today: open the Networking blade on your 3 most important resources. "Enabled from all networks" = your homework.

📚 Useful Microsoft Docs

#Azure #NetworkSecurity #PaaS #PrivateEndpoint #NSP #ZeroTrust #ServiceEndpoints #AzureSecurity

Leave a comment

Your email address will not be published. Required fields are marked *

Share