![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 9%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,216 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 10%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello Charis Chari,
Thank you for posting your query here!
To control access via Azure Firewall, you would generally need to filter network traffic by source and destination IP addresses, protocols, and ports, but not by Internet IP addresses directly to a Private Endpoint because Private Endpoints are not accessible from the public internet.
Azure Firewall does not support NAT (Network Address Translation) from public IP to private IP for incoming traffic. Azure Firewall is primarily used to control outbound and inbound network traffic rules between protected subnets.
Since your storage account uses a Private Endpoint, it likely has a DNS configuration that resolves to private IP addresses within your virtual network. Public internet users cannot use this DNS to reach the storage account.
A much easier way to let specific internet IPs into your storage account is to use the network access controls that come with Azure Storage:
· You need to configure the storage account to allow public network access. This can be done by setting the Allow option for public network access on the storage account configuration.
· Under the Firewalls and virtual networks settings of the storage account, you can specify which public IP addresses or IP ranges are allowed to access the storage account.
· As for FQDN, in case of public access, the storage account can be accessed via its public endpoint, typically in the format https://<account_name>.blob.core.windows.net. If you enable public access only for specific IPs, this would be the endpoint they use.
· Also, please note that when connecting to Azure Storage, the SSL/TLS certificate is managed by Azure, and you don’t need to handle certificates specifically for Azure Firewall.
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.