Service to Service Connection
all connection
Here you go Pavan — the most complete list of Azure service integrations with all possible methods, written exactly in the style you’re expecting (DevOps/SRE use-cases + real integration methods).
✅ Master List of Azure Integrations (With Methods & Auth Types)
Everything from Azure DevOps, GitHub, ACR, AKS, Key Vault, Storage, VNet, App Services, Databases, Monitoring, Security, and more.
🔵 1. Azure DevOps Integrations
✅ 1.1 GitHub → Azure DevOps
Repo Integration
GitHub OAuth (via Azure AD App)
CI/CD using GitHub
Service Connection → GitHub OAuth
Access GitHub Packages
PAT / OAuth
Work Item Link
GitHub App installation
✅ 1.2 Azure DevOps → ACR
Build & Push Docker images
Service Principal (most common)
Pull images during pipeline
Managed Identity (Self-hosted agent on Azure VM)
Docker Registry Service Connection
SPN + ACR role (AcrPush/AcrPull)
✅ 1.3 Azure DevOps → Key Vault
Fetch secrets in pipeline
Service Connection → Azure Subscription + Key Vault access
Replace variables
Key Vault variable group
Access via agent
Managed Identity / SPN
✅ 1.4 Azure DevOps → AKS
Deploy to AKS
Kubernetes Service Connection
Authentication
Azure AD Workload Identity (recommended) / SPN / Kubeconfig
Pull ACR images
AKS Managed Identity linked with ACR “AcrPull” role
✅ 1.5 Azure DevOps Agent Integration
Microsoft-hosted
No integration needed
Self-hosted VMSS Agents
Managed Identity
Self-hosted VM Agents
PAT or OAuth registration
🟦 2. Application Integrations
🔹 2.1 Azure App Service → Azure Database (SQL/MySQL/Postgres)
Secure DB access
Private Endpoint (recommended)
Legacy method
Service Endpoint
Authentication
Username/Password / MSI + Azure AD Token (for SQL only)
🔹 2.2 App Service → Storage Account
Private Endpoint
Service Endpoint
SAS Token
Access Key
Managed Identity (RBAC on Storage)
🔹 2.3 App Service → Key Vault
Managed Identity (most secure)
Key Vault reference @Microsoft.KeyVault(...)
Access Policy or RBAC
🔹 2.4 App Service → ACR
Managed Identity + AcrPull
Admin Username/Password (not recommended)
🟩 3. Networking Integrations
🔹 3.1 VNet → Private Services
Storage
Private Endpoint / Service Endpoint
SQL DB
Private Endpoint
Key Vault
Private Endpoint
ACR
Private Endpoint
App Service
VNet Integration / ASE
CosmosDB
Private Endpoint
🔹 3.2 Azure Firewall / NSG Integrations
App Service to VNet
Regional VNet Integration
Kubernetes Egress filtering
UDR + Azure Firewall
VM/AKS security
NSG inbound/outbound rules
🟥 4. Container & Kubernetes Integrations
🔹 4.1 AKS → ACR
Managed Identity (best)
Kubernetes Secret (docker-registry)
Service Principal
🔹 4.2 AKS → Key Vault
CSI Key Vault Driver
Azure AD Workload Identity
Pod Identity (deprecated)
🔹 4.3 AKS → Storage
Azure Disk
CSI driver
Azure File
CSI driver
Blob Storage
NFS Blob CSI / SAS
🔹 4.4 AKS → Azure Monitor & Log Analytics
Container Insights Agent
Prometheus Metrics via AMA
Grafana Dashboard (managed grafana integration)
🟪 5. Security & Identity Integrations
🔹 5.1 Azure AD → Applications
App Login
OAuth2 / OIDC
API Authentication
Managed Identity / Service Principal
Secretless login
Workload Identity
🔹 5.2 Azure AD → GitHub
SSO
SAML / OIDC
Runner authentication
Managed Identity (if hosted on Azure)
🔹 5.3 Azure AD → VPN / On-Prem
S2S VPN
IPSec
ExpressRoute
Private Peering
Azure AD Domain Services
LDAP / Kerberos / NTLM
🟫 6. Storage System Integrations
🔹 6.1 Storage → Azure Backup
Vault integration
Backup policies
🔹 6.2 Storage → CDN
Origin integration
Private origin + Private Link
🔹 6.3 Storage → Event Grid / Functions
Blob events
Event Grid subscription
Queue trigger
Function binding
Table events
(Limited) via Event Grid
🟧 7. Monitoring & Observability Integrations
🔹 7.1 Azure Monitor → Services
AKS
Container Insights
VMs
AMA agent
App Service
Application Insights
Functions
App Insights auto-instrumentation
SQL
Diagnostic settings
🔹 7.2 Log Analytics → Tools
Grafana
Data source plugin
Sentinel
Workspace integration
AKS
AMA agent
🟨 8. Serverless Integrations
🔹 8.1 Azure Functions → Event Sources
HTTP
Function URL / APIM
Storage Queue
Storage binding
Event Hub
Event Hub binding
Service Bus
SAS / Managed Identity
Timer
CRON schedule
🔹 8.2 Function → Key Vault
Managed Identity
Key Vault References
🟦 9. Database Integrations
🔹 9.1 SQL Server / SQL MI
App Service / AKS connectivity
Private Endpoint
Security
Azure AD Authentication
DR
Auto-failover groups
Backup
Automated + LTR
🔹 9.2 CosmosDB
Access
Private Endpoint
Auth
Key / RBAC / Managed Identity
Triggers
Change Feed
🔹 9.3 Redis Cache
VNet Injection
Private Endpoint
Access Keys (mandatory)
🟦 10. CI/CD Integrations (Full DevOps)
Tools | Integration Method
Jenkins → Azure
Service Principal, Managed Identity
GitHub Actions → Azure
OIDC Federated Identity
ArgoCD → AKS
Kubeconfig + Workload Identity
Terraform → Azure
Service Principal / Workload Identity
Ansible → Azure
Azure.azcollection + SPN / MSI
🎯 If you want, I can also generate:
✅ A diagram of all integrations ✅ A real Azure DevOps pipeline including ACR + AKS + Key Vault + SAST (Snyk) ✅ A full architectural template for your company projects Just tell me!
setup ways
Here you go Pavan — the clearest, simplest, and most DevOps-friendly explanation of how each Azure integration method works with exact working logic + steps + when to use.
✅ 1. Managed Identity (MI)
Managed Identity = Azure-managed service principal. No secrets. No credentials. Azure automatically rotates tokens.
Works only inside Azure (VM, App Service, Function, AKS nodepool, etc.)
🔵 How Managed Identity Works
You enable System-assigned MI (one identity per resource) — or User-assigned MI (one identity used by multiple resources).
Azure creates a service principal behind the scenes in Entra ID.
Your resource asks Azure Instance Metadata Service (IMDS):
http://169.254.169.254/metadata/identity/oauth2/token(“Give me a token for Key Vault / Storage / SQL etc.”)
Azure issues a short-lived OAuth2 access token.
The resource presents this token to the target service.
Access is granted based on RBAC roles you assigned (e.g., "Key Vault Secrets User", "Storage Blob Data Contributor").
🟢 Steps to Use Managed Identity
Step 1 — Enable MI
Example: App Service → Identity → Enable System-assigned MI.
Step 2 — Assign RBAC
Example: To allow access to Key Vault Key Vault → Access Control → Add role → “Key Vault Secrets User” → Select App Service MI.
Step 3 — Access in code (no secrets)
Example in Node/Python/.NET uses azure-identity SDK
DefaultAzureCredential()🟣 When to Use
✔ Secure communication between Azure services ✔ No secrets required ✔ Short-lived tokens, automatic rotation ❌ Not for external (non-Azure) services
✅ 2. Workload Identity Federation (WIF)
WIF = Passwordless authentication for non-Azure workloads. Used for GitHub Actions, Kubernetes pods, GitLab, CircleCI, etc.
🔵 How WIF Works
Your workload (GitHub Actions, AKS pod, etc.) has its own identity system.
Azure creates a Federated Identity Credential (FIC).
The external system issues a signed token (OIDC token).
Azure validates the token using the FIC rules:
Issuer (example: https://token.actions.githubusercontent.com)
Subject (example: repo:org/app:ref:branches/main)
Azure returns an Azure Access Token to the workload.
Workload uses token to access Azure resources (ACR, Key Vault, Storage).
No secrets. No SPN passwords. No certificates.
🟢 Steps to Use WIF (GitHub example)
Step 1 — Create an Entra App Registration
This app represents your pipeline/workload.
Step 2 — Add Federated Credential
Identity → Federated Credentials → Add → GitHub
You define: ✔ Organization ✔ Repo ✔ Branch ✔ Token issuer ✔ Subject
Step 3 — Assign RBAC to the App
Example: ACR → IAM → AcrPush → Assign your App.
Step 4 — Use in GitHub Actions
permissions:
id-token: write
contents: read
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUB_ID }}🟣 When to Use
✔ GitHub Actions → Azure ✔ AKS pod to Azure (Workload Identity replacement for Pod Identity) ✔ Terraform Cloud → Azure ❌ Not needed when running inside Azure (use MI instead)
✅ 3. Service Endpoints
Provide direct Azure backbone connectivity to resources. But still accessible from public IPs.
This is a network-level integration.
🔵 How Service Endpoints Work
A subnet “extends” to an Azure resource Example: Subnet → Microsoft.Storage
Traffic from that subnet to the resource uses Azure backbone (not public internet).
You restrict the resource to only accept traffic from that VNet.
Resource still has a public endpoint — but locked to your VNet only.
🟢 Steps to Use Service Endpoints
Step 1 — Enable endpoint on subnet
VNet → Subnets → Select Subnet → Service endpoints → Add (example: Microsoft.Sql)
Step 2 — Restrict service
For Storage: Firewall → Allow Selected Networks → Add VNet Subnet
🟣 When to Use
✔ Fast and simple VNet integration ✔ No need to manage private DNS ❌ Resource is still public (just restricted) ❌ Being replaced by Private Endpoints
✅ 4. Private Endpoint
Private endpoint = Private IP inside your VNet that connects to Azure service This is true private access (resource is no longer public).
🔵 How Private Endpoint Works
When you create a Private Endpoint (PE), Azure allocates a private IP (ex: 10.0.0.7)
This private IP is “mapped” to the Azure service backend.
Traffic flows entirely inside Azure VNet.
Public access is disabled.
Private DNS record created (
privatelink.blob.core.windows.net).
It behaves like the service is inside your network.
🟢 Steps to Use Private Endpoint
Step 1 — Create PE
Storage → Networking → Private Endpoint → Add.
Step 2 — Select Subnet
Choose VNet/subnet where service should be accessible.
Step 3 — Integrate Private DNS
Typically Azure auto-creates privatelink.* zones.
Step 4 — Lock public access
Disable public network access.
🟣 When to Use
✔ Need fully private traffic ✔ Banking, finance, restricted environments ✔ App Service → SQL / KV / Storage ❌ Harder setup than service endpoints
✅ 5. Service Principal (SPN)
Service principal = Non-human identity used for automation and CI/CD. Used everywhere: Jenkins, Terraform, GitHub, Ansible, Azure DevOps (old way).
🔵 How Service Principal Works
You create an App Registration.
App has:
Client ID
Client Secret or Certificate
You assign RBAC permissions to this identity.
Your CI/CD tool logs in using:
az login --service-principal -u <client-id> -p <secret> --tenant <tenant-id>Azure returns an OAuth2 access token.
CI/CD uses token to deploy to Azure resources.
🟢 Steps to Use SPN
Step 1 — Create SPN
az ad sp create-for-rbac --name "my-ci" --role contributorStep 2 — Add RBAC roles
e.g., ACR → AcrPush
Step 3 — Use in pipeline
Example Azure DevOps:
dockerRegistryServiceConnection: 'my-spn-connection'🟣 When to Use
✔ Automation outside Azure without OIDC ✔ Terraform run from local laptop ✔ Jenkins/Azure DevOps classic pipelines ❌ Secrets must be stored and rotated manually ❌ Replaced by Workload Identity Federation in modern setups
🎯 SUMMARY TABLE
Managed Identity
Identity for Azure resources
⭐⭐⭐⭐⭐ Best
App → KV, App → Storage, AKS → ACR
WIF
Identity for external workloads
⭐⭐⭐⭐⭐ Best
GitHub → Azure, AKS Pods → Azure
Service Endpoint
Secure network routing
⭐⭐⭐
VM → Storage/SQL
Private Endpoint
Private IP access
⭐⭐⭐⭐⭐
App → KV/SQL/Storage
Service Principal
Legacy identity using secrets
⭐⭐
Terraform/Jenkins (old)
If you want, I can also create:
✅ A diagram explaining all 5 with flow paths ✅ A real example: App Service → Key Vault (PE + MI) ✅ Full cheatsheet PDF for all identity methods
Just tell me!
Common Ways
Here are very short, crisp definitions for each Azure concept:
Managed Identity (MI)
An identity automatically created and managed by Azure for your resource (VM, Function, AKS, etc.) so it can access other Azure services without storing secrets.
Workload Identity Federation (WIF)
Allows Azure resources (like GitHub Actions, Kubernetes, CI/CD pipelines) to access Azure using token-based identity instead of secrets—no need to store service principal secrets.
Service Endpoint
Extends your VNet private network to Azure services (like Storage, SQL). Traffic flows through Microsoft backbone but still uses the service’s public endpoint.
Private Endpoint
A private IP in your VNet that directly connects to an Azure service. The service becomes accessible only via your private network, no public endpoint.
Service Principal (SP / App Registration)
A non-human identity (application identity) in Azure AD used by apps, pipelines, and services to authenticate to Azure. Traditionally uses client ID + secret/certificate.
Managed Identity (MI)
Identity for Azure resources
Azure Resource → Azure Service
Token (no secrets)
Public or Private (depends on service)
App Service → Key Vault, AKS → ACR, VM → Storage, Functions → SQL
Workload Identity Federation (WIF)
Identity for external workloads
External System → Azure
OIDC Token (no secrets)
Public OIDC + Azure Token Endpoint
GitHub Actions → ACR, AKS Pods → Key Vault, GitLab CI → Azure Deploy
Service Endpoint
Secure routing to Azure service over Azure backbone
VNet Subnet → Public Azure Service
Uses existing identity (MI/SPN)
Public endpoint but VNet restricted
VM → Storage, App Service → SQL (old method), Subnet → Key Vault
Private Endpoint
Fully private IP access
VNet → Azure Service
Uses MI/SPN/Tokens
Private IP (privatelink)
App Service → SQL, AKS → Storage, Function → Key Vault, VM → CosmosDB
Service Principal (SPN)
Automation identity for scripts/CI & external tools
External Tool → Azure
Client ID + Secret/Cert
Public Azure endpoints
Terraform → Azure, Jenkins → ACR, Azure DevOps → AKS/ACR (old way)
Azure Key Vault
✔ Best method
✔ For GitHub/AKS
✔ Supported
✔ Best for production
✔ Sometimes used
Azure Storage
✔
✖
✔
✔
✔
Azure SQL DB
✔ (SQL AD Token)
✖
✔
✔ Best method
✔ (username/password token)
Azure Container Registry (ACR)
✔ (AcrPull)
✔ (GitHub)
✖
✔
✔ (docker login)
Azure App Service → Service
✔
✖
✔
✔
✔
AKS → Azure Services
✔ (Workload Identity)
✔ (Pods)
✔
✔
✔ (if using Kubeconfig auth)
Functions → Services
✔
✖
✔
✔
✔
VM → Azure Services
✔
✖
✔
✔
✔
GitHub → Azure
✖
✔ Best
✖
✖
✔ (legacy)
Terraform → Azure
✔ (if run in Azure)
✔ Best (OIDC Terraform Cloud)
✖
✖
✔ (common)
Last updated