@Elmesten, Jonas (KIT) Thanks for reaching out. When you enable a private endpoint on the storage and you want your function connected with storage privately, you can select ‘selected networks’ in the storage firewall instead of ‘all networks’. There’s no need to whitelist the function app VNET because you have exposed your access to storage via a private endpoint. The function’s outbound VNET will connect with the private endpoint (PE) of the storage account using Azure’s private link service of Azure storage.
A Private Endpoint uses a private link service to connect with resources securely. The traffic goes via the Azure backbone network with a private IP.
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
A Service Endpoint is used to connect with Azure resources securely, but the traffic goes via a public route. So, Service Endpoints are not required to be enabled on the subnet when you are connecting to storage privately. If your function app is connecting to storage using a Private Endpoint, you can test this by checking the DNS resolver of the blob endpoint from the function’s Kudu site.
let me know incase of further queries, I would be happy to assist you.