Windows Azure hosts all of your virtual machines behind a load balancer. All your virtual machines can open outgoing connections. For incoming connections, you need to explicitly open the ports in the firewall. These are the endpoints of the entry and the endpoints of the instance:
- Input endpoints are used when you load a balance between virtual machines (like a web server).
- Instance entry endpoints allow you to connect directly to a specific virtual machine (for example, a database server).
Now, with regard to public and private ports: public ports are port numbers exposed to the outside world. So for a website, perhaps this port is 80. Then you can map this port to the port on the virtual machine itself. Perhaps you are running your web server on port 8000 for some reason. In this case, you can map open port 80 to private port 8000.
Now imagine SSH. SSH loves listening on port 22. But if you have, say, 3 Linux vm in one service, you simply do not have access to all of them on port 22, since they all have a common IP address. Therefore, you will need a specific port number for each machine. In this case, you must assign, for example, port 20000 - vm1, 21000 - vm2, etc. On the shared port side, as the instance entry endpoint pointing to a specific virtual machine instance in port 22 on the private port side.
Hope this makes sense ... :)