
Test environment (portal resources)
I used the Azure portal to deploy a VM and a Storage account. The resource group lists both resources and related networking components.
data currently allows anonymous (public) access. I uploaded images to that container and can access a blob directly via its URL.


Restricting the Storage account to a VNet/subnet (enable service endpoint)
- Open the Storage account in the Azure portal and go to Networking.
- Change Public network access from “All networks” to Selected networks.
- Under Virtual networks, click Add existing virtual network (or Add), then choose:
- Subscription
- Virtual network
- Specific subnet where your VM runs
- Save the configuration.
Microsoft.Storage service endpoint for that subnet automatically. You can also enable service endpoints directly on the virtual network > Subnets blade.


After enabling a service endpoint, propagation can take up to 15 minutes. During this time access behavior may not change immediately.
Verify access after applying the restriction
After saving and waiting for propagation, public (browser) access to the blob will be denied (authorization failure). However, a VM in the authorized subnet will continue to reach the Storage account over the Microsoft backbone. From the same VM after enabling the Storage account to allow only the selected VNet/subnet:Implementation notes and caveats
- Enabling a service endpoint injects system routes and configures Azure’s internal routing so traffic to the supported service is routed over the Microsoft backbone instead of the public internet.
- DNS resolution for the service FQDN still returns a Microsoft public IP. The VM uses its private IP to connect, but the destination IP is a Microsoft-owned public IP; on-premises clients will still see a public endpoint unless you supplement with NAT/DNS or more advanced routing.
- Service endpoints authorize a VNet/subnet identity to the service — you do not authorize individual VM private IPs.
- For strict private connectivity (FQDN resolves to a private IP within your VNet) and full private-to-private resolution, use Azure Private Endpoint (Private Link). Private Endpoints assign private IPs in your VNet and integrate with private DNS.
Quick comparison
Service endpoints are a simple and effective way to secure PaaS access from VNets. For scenarios that require full private addressing and private DNS resolution, prefer Private Endpoint.
Links and references
- Azure Virtual Network service endpoints overview
- Azure Storage network security (service endpoints)
- Azure Private Link / Private Endpoint overview