Queries regarding Private Endpoint & Private Link

Copper Contributor
Until now I assumed that the traffic flowing between 2 azure resources (say between an Azure VM & Storage Account or a Key Vault) was through the internet, if private and service endpoints are not configured. But today a colleague of mine shared an article where it says that all the traffic between the Azure datacenters does not go through the internet, it's on Microsoft's backbone network only. Link to the article - https://azure.microsoft.com/en-in/blog/how-microsoft-builds-its-fast-and-reliable-global-network/
 
Now there could be 2 things:
1. Either the article is now outdated (it is from 2017) and no longer true, and w/o any special configuration the traffic between 2 azure resources flows through the internet, or,
2. The traffic indeed flows through the Microsoft's network and not through the internet, but in that case, what's the benefit of Private endpoint apart from the fact that we can assign a private IP to a PaaS service.
 
Any insights in this regards would be highly appriciated. Thanks in Advance!
1 Reply

Hi @AshishGupta1 

So 

1. Yes all the traffic which is between Azure services travels over Microsoft backbone network.
   This is documented here

      Yes, any traffic between data centers, within Microsoft Azure or between Microsoft services such as Virtual Machines, Microsoft 365, XBox, SQL DBs, Storage, and virtual networks are routed within our global network and never over the public Internet, to ensure optimal performance and integrity.

 

2. Service endpoints provide an extra layer of isolation and security , as per Microsoft Docs :

    Network connections can only be initiated by clients connecting to the private endpoint. Service       providers don't have routing configuration to create connections into service consumers. Connections can only be established in a single direction.

 

To understand the private endpoints in better way I would recommend to read more about Private Link Service as well.