By default Azure Managed Resources such as Azure Storage and Azure SQL Database with Public IP are accessed over internet connection from outside Azure and by VMs in Virtual Network over internet connection.
With Azure Virtual Network Service Endpoints, traffic between Azure Virtual Network and Azure Managed Resources remains on the Microsoft Azure backbone network and not on Public Internet.
Virtual Network Endpoints feature is currently available for the following Azure services:
VIRTUAL NETWORK SERVICE ENDPOINT ARCHITECTURE
Figure below shows the Architecture of VNET Service Endpoints.
WORKING OF VNET SERVICE ENDPOINTS
Virtual Network Service Endpoints are created in Virtual Network and are attached to Subnets. They extend Azure Virtual Network private address space to Azure Managed services. You can also restrict Azure resources to only be accessed from your VNET and not via the Internet. You also have the option to allow access from internet or from particular IP range only.
WHY WE NEED AZURE VIRTUAL NETWORK ENDPOINTS
Azures Managed Resources such as Azure Storage and Azure SQL have Internet facing IP addresses. Because of security reasons many customers prefer that their Azure Managed Services not be exposed directly to the Internet.
Click on the link below to read rest of the article.