@NS97631-0872 Thank you for reaching out to Microsoft Q&A. I understand that you are having questions regarding routing to storage account from subnets with a NAT gateway.
Considering that you are accessing the Storage Account via the internet using its Public IP address, please correct me otherwise.
Answering your questions-
- When the VMs access the storage account in the same region does this traffic go through the NAT gateway and subject to the data processing fee of the NAT gateway? When you are using a NAT Gateway subnet, for the traffic to go over the internet, the traffic needs to access the NAT gateway so that it can get a Public IP address to traverse the internet. If not, it cannot have a Public IP address. Therefore, yes, it will traverse the NAT gateway and will be charged.
- If I want to make an IP network rule allowing only my subnets access to the storage account, I understand you need service endpoints in the subnets as documented here. Despite using a NAT gateway I assume simply whitelisting the NAT gateway public IP wouldn't work in the same region?
Since you will be accessing the Storage Account via the Internet using its Public IP, you should be able to acces sthe account by whitelisting the Public IP address of the NAT Gateway.
- If the answer to 1 is yes and I am subject to the NAT gateway processing fee would traffic still go through the NAT gateway if I created service endpoints in the vnet for the storage account?
If you create a Service Endpoint, you will reach the storage account using a private IP address and you no longer need to use the NAT gateway.
Hope this answers your questions. Please do let us know if you have more questions and I will be glad to assist further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.