Sir John, I have seen hours and hours of your content by now and have also spent considerable amount of time on videos by other creators. Not to negate others' work but in my humble opinion, you have a special gift when it comes to explaining the concepts. For students and IT professionals looking for training in Azure, you are really doing God's work. Thank you

@NTFAQGuy

2 жыл бұрын

That is very kind of you to say, thank for the great complement 🤙🙏

Finally, I understood the fundamental difference between Service Endpoint vs Private Endpoint. My goodness, the best explantion ever !

@NTFAQGuy

2 жыл бұрын

Thanks

You have really explained this complex topic well. Hats off Bud, Chat-GPT ain't no threat to you!

Thank you very much for the video John. As I always say: You are saving us to google/discard/re-google/find/read/understand/re-read a lot of documents. The explanation is great all the times. Thanks for your videos. I lost the count on how many times I am grateful to find one of your materials when I am in a struggle. Keep the good work please !

@NTFAQGuy

3 жыл бұрын

Thank you, glad it’s useful

Thanks John. I was under the impression that applying an NSG at Subnet level and also applying a NSG at VM level is going to offer double protection. thanks for the clarification 😃

@NTFAQGuy

2 жыл бұрын

Nope :)

As always, so good. Just nicely summarizes the most important points rather than me trying to connect the many dots from the docs and being confused how it fits together. Thanks!

You sir are so much better than every other Azure expert you need to pay for. Your videos help me a lot. ❤👍

@NTFAQGuy

8 ай бұрын

Wow, thanks

You are making it enjoyable to learn Azure, thanks!

It very quickly became my main source of knowledge for Azure. Wish I've known the channel before. Thanks for another great video. Really appreciated. It's not easy to organize and explain so much in so little time.

@NTFAQGuy

2 жыл бұрын

Thank you 🙏

You are Superman of Azure ...Your every video is just perfect and best available in youtube . Concepts explained are so crystal clear that you dont need to fetch anywhere else for doubts..

@NTFAQGuy

2 жыл бұрын

That’s very kind, thank you

Dude that was the best distilled explanation of all that verbose MSFT documentation. Thank you so much!!! I'm working on a project designing an Azure architecture with subnets. It's good to know that PaaS services don't require a protected subnet if we can use private links, if I'm understanding right.

Mate you video deserves more views and likes. You are clear, concise and the most valuable source of Azure knowledge online. Keep up the excellent work!

@NTFAQGuy

3 жыл бұрын

Just takes time :) appreciate the kind feedback. Stay safe.

This is a very good video John. Thanks for keeping us up-to-speed with Azure

@NTFAQGuy

3 жыл бұрын

My pleasure. Thanks for watching

In-depth explanation. Awesome. Thank you John.

@NTFAQGuy

2 жыл бұрын

Welcome, thanks for watching

Thanks so much for these clear and well explained videos. So many others and even the MS docs I find speak in riddles adding to confusion, watching your videos gives me clarity and peace of mind.

@NTFAQGuy

2 жыл бұрын

Glad I can help.

So good. Great clarity. I'm using service endpoints for an AKS subnet and an Azure MySQL dB but I didn't know about service endpoint policies, so that was really useful

@NTFAQGuy

3 жыл бұрын

Awesome, today the policies are focused on storage but who knows over time :-)

John your content == pure gold ! Thanks a lot !

Awesome, thank you Sir John, very informative as usual, clears a lot of key networking concepts in Azure, a lot of info that falls into place and easy enough to digest with simple explanation. Cheers.

@NTFAQGuy

3 жыл бұрын

Glad was useful.

Awesome John! Indeed you completed my understanding of the Networking and cleared my doubt from the last video. You are one of my best Mentor in Azure, really appreciate.

@NTFAQGuy

2 жыл бұрын

Welcome

Extremely useful video! Thank you for sharing your knowledge and very clear explanations.

@NTFAQGuy

3 жыл бұрын

My pleasure.

Great video, clear and concise as always. Thanks!

@NTFAQGuy

3 жыл бұрын

Glad you liked it! Appreciate the feedback.

Pure gold mate. Thanks!

Thanks John. Really useful overview

@NTFAQGuy

3 жыл бұрын

Glad you enjoyed it

Loving that fact that you're now surfacing this sort of stuff on KZread - I've long followed your material on PluralSight and have found it very valuable in the past. Not sire if you're looking for suggestions on more things to cover, but here are a couple from me: (a) Could you shed a bit more light on the various ExpressRoute Peering options (Microsoft Peering vs Private Peering) as this also seems to come in to play when it comes to consumng PaaS services in a hybrid environment. (b) Some pices on Azure Firewall/Firewall Manager would also be helpful!

@NTFAQGuy

3 жыл бұрын

Thanks. I have an expressroute deep dive already. Not looking to do anything beyond that on expressroute.

Very good video John. I though I knew everything about Azure networking. I was wrong... Don't understand your statement for using Service Endpoint policies for data filtration (limit data export) though. When I have a Service Endpoint defined for storage in region A and a policy for account SA01 I can still connect through the Internet to storage in region B, C, D and to non Azure storage (dropbox, box, etc.). Can't I ? So basically I think you should do data filtration / monitoring through UDR's to Azure Firewall and there log and control whatever goes out. Azure Firewall is currently very limited in this area though because you cannot specify tags like "block download sites", "block adult sites", "block etc." (category based). You either have to use an NVA for this (Fortigate, Checkpoint, Barracuda, etc.) or do this as part of your external DNS lookup system (OpenDNS for example). And then you still have PAAS platforms (webservices for, Azure Functions, etc.) that get data and communicate directly to the Internet without going through your Azure Firewall / NVA / datamonitoring solution and copy corporate data to wherever they like. So I think the topic of datafiltration / monitoring, i.e. data leakage, is a far more complicated topic than just setting a Service Endpoint Policy....

@NTFAQGuy

3 жыл бұрын

Not saying it’s complete story but that is goal of policies to help there. Certainly for complete story there are more parts but my goal was to talk about what the native components in azure do.

Thanks John for this excellent video.

@NTFAQGuy

3 жыл бұрын

Glad it was useful.

Another great video - thanks John.

@NTFAQGuy

3 жыл бұрын

Thanks, glad you liked it.

Brilliant as always! Pity 95% of viewers can't be bothered to hit like!

@NTFAQGuy

3 жыл бұрын

Thanks! Appreciated.

Thanks as always for such a useful video!!

@NTFAQGuy

3 жыл бұрын

Glad it was helpful!

Couldn't find a better explanation other than this. Thanks for the great content!

@NTFAQGuy

2 жыл бұрын

Very welcome

thanks for one more indepth session

Thank you for the explanation.

Another great video, John.

@NTFAQGuy

3 жыл бұрын

Glad you enjoyed it!

Great content. Many thanks John.

@NTFAQGuy

2 жыл бұрын

Very welcome

Outstanding. Helps to see to see how it all ties together. Question: is private link generally preferred as a default security choice?

@NTFAQGuy

3 жыл бұрын

If a company wants to eliminate public facing then definitely yes. It is the most locked down.

Great video as always!

@NTFAQGuy

3 жыл бұрын

Glad you enjoyed!

Brilliant video as others! Thank you! Do you have separate video for NVA and Azure Firewall?

@NTFAQGuy

3 жыл бұрын

Glad you like the video, thanks! Any videos would be searchable on the site. Always adding new stuff.

Very well explained 👍

@NTFAQGuy

3 жыл бұрын

Thanks

Great Video John!

@NTFAQGuy

3 жыл бұрын

Thanks!

You are great again

AMAZING, as usual!

@NTFAQGuy

3 жыл бұрын

Thank you! Cheers!

As always, great video John. Regarding applying a Service Endpoint Policy to a subnet which stops VMs in that subnet from accessing Storage Account "02", surely you could do that without such a Policy simply by turning on the firewall on SA 02 and then not allowing access from that subnet?

@NTFAQGuy

3 жыл бұрын

Yes but the point is data exhilaration. That would only stop to sa02 but what if the user created sa03. Using policy you are saying that subnet can only get to specific storage accounts .

Amasingggggggggggggggggg!!!!!

Excellent

If you want to learn Azure, you go to John Savill!!! ;-) Great content as always, thank you very much!

@NTFAQGuy

3 жыл бұрын

Very kind, thank you!

Fantastic

great video. Although I understood previously that public IP ( not private as you stated in the video ) was used in Service Endpoints to allow traffic and not Private. For making use of Virtual Ntwork Private IP we use Private endpoint? Can you please help clarify.. thanks

@NTFAQGuy

3 жыл бұрын

No I said the public service now sees the source as a private ip not that you access the service AS a private IP. You are still using public ip of target but it now is routed differently using magic in the switch :)

@sid0000009

3 жыл бұрын

@@NTFAQGuy Clear thank you!

Really appreciate your way of explaining each things in detail..just one query what about communication between PaaS services..it won't use private endpoint..like if my SQL analysis service wants to communicate storage blob..and when I deny public access to one of my diagnostic storage account the vm stop sending diagnostic logs to storage..

@NTFAQGuy

2 жыл бұрын

Paas don’t live in vnets so won’t generally use private endpoints of others unless it has its own specific functionality like a managed vnet etc

Awesome .. thanks

@NTFAQGuy

2 жыл бұрын

You bet!

Great video. I'm at around 27:52. What is not clear to me yet is how do I then lock the sql database down from any access from the internet or bad actors within azure? What are my options? I might have some different rules in mind between the service inside the subnet with the nsg assigned to it and the sql database. Consider peering and on-premise to be N/A. One other thing, I think the answer is yes to this question but i'll ask it anyway (be my rubber ducky). If I apply service endpoint policies does that also prevent me from connecting to anything that is not specified? Think the app is using a connection string to storage that is not inside the subscription or the policies. So if we want to connect to that we would need to specify it but that could mean possible data exfiltration?

@NTFAQGuy

3 жыл бұрын

to lock down the database you use things like the service endpoints or private endpoints as I talked about. if you want to stop exfiltration for storage thats storage endpoint policies.

Another great video! may be one on DNS for hybrid environments with an on-prem AD Integrated DNS?

@NTFAQGuy

3 жыл бұрын

I did a video about AD in Azure previously which included DNS considerations. I think that would cover this topic pretty much. Open to any gaps you think is there. Thanks.

@markadam1506

3 жыл бұрын

John Savill thank you, I’ll take look

@John Savill So Service Endpoint you said that it is at a Subnet level and you get a direct connection to the Storage Account using a Service Endpoint. So i guess Service Endpoint can act as a security boundary. So what about Private Link, can i use Service Endpoint with Private Link? I mean how they are both different then?

@NTFAQGuy

3 жыл бұрын

Service endpoint provides an optimized path and knowledge of the subnet so you can then on the PaaS service restrict to just that subnet. Private link is an alternate approach where the service has an actual IP in the subnet which goes to the service. You would use one or the other. The difference is private link removes the need for the PaaS service to have any public facing endpoint and instead is an interface in the subnet. Private link you can restrict to just subnet with a private endpoint and subnet could be locked down via NSG to block anything without private endpoint.

@pallabkolkata

3 жыл бұрын

@@NTFAQGuy Private Link is the better option then as there is no question of Public IP and every traffic is within the Azure Backbone itself. No wonder Private Link is gaining so much popularity with Enterprises because of this huge security boost

got it thanks

@NTFAQGuy

3 жыл бұрын

great

Thank you.

@NTFAQGuy

3 жыл бұрын

You're welcome!

thanks John, quick one....does the Service End point overrides the NSG outbound rule?

@NTFAQGuy

3 жыл бұрын

ues service tags to allow with NSGs if limit outbound.

@sid0000009

3 жыл бұрын

@@NTFAQGuy : Suppose I have set my NSG rule to block my access to PASS SQL from a Vnet, however I have added a Service End point access. In such a case would my Service End Point make the access possible or NSG would have the final say?

@NTFAQGuy

3 жыл бұрын

@@sid0000009 NSG would block

also if we have a service end point, does it lock the PASS service to the given Vnet and we dont need Firewall setting to be changed? in Private End point its evident we dont require the Firewall rule as it attains a private IP from the Vnet but not clear on the service end point... thank you!

@NTFAQGuy

3 жыл бұрын

makes it known to the firewall so you can then lock it down. you have to make that config.

Hi John, Do you have any links or info surrounding DHCP on Azure. When key production service of networking is DHCP and if you are a business of multi on-prem offices, how would you move DHCP to serve PC and Data from an Azure hosted Domain Controller?

@NTFAQGuy

3 жыл бұрын

you can't. azure has to be DHCP service for vnet.

@The24hrStruggle

3 жыл бұрын

John Savill thanks for replying John. New to channel. Content so far has been super.

Hello, If I enable a service end point from the Subnet to example a SQL Server ( Azure Paas), do I still have to add NSG rule in outbound 443 in Subnet to allow me to connect....or that is no longer required as I enabled a Service End point already. Thank you

@NTFAQGuy

3 жыл бұрын

By default nsg outbound allows to internet and azure services so no change required. If you lock down then yes you would need outbound rule using service tag of the service you have endpoint for.

@sid0000009

3 жыл бұрын

@@NTFAQGuy Thanks..so Service End Points are more an alternate routing paths on Azure backbone. So NSGs would be anyways required to filter traffic ( unless allowed by default ).

@NTFAQGuy

3 жыл бұрын

@@sid0000009 and make them known to the PaaS firewall as I talk about in the video

Why do you say (on 0:08) that Storage Account is PaaS. Doesn't it falls under IaaS?

@NTFAQGuy

Жыл бұрын

No since you’re not responsible for any os etc. it provides the file service for you to leverage

Has anyone seen the blockbuster movie "Legend of the Savill", ya'll should check it out