Why I still have access even after removing service endpoint.

Elmesten, Jonas (KIT) 20 Reputation points


I have a function app "func-app" in Vnet "public-vnet" that is a Vnet integration into "subnet-af".

I also have a Vnet "private-vnet" with a storage account "data-storage".

So, in public-vnet: Azure function with Vnet integration into subnet

In private-vnet: Storage account that Azure function need access to.

I want funcp app to be able to reach data-storage in private-vnet.

So from data-storage, I set: Enable form selected virtual network to be to subnet-af in private-vnet.

This will create a service endpoint in subnet-af (as it says that service endpoint in required).

Now the function app can reach the storage account.

BUT, if I now remove the service endpoint from the subnet subnet-af in public-vnet, I can still access the storage account, and now it will say Endpoint status: Disabled, under network settings for the storage account.

So, why does it still work when service endpoint was required to be added, when adding network access on data-storage storage account?

This person, on reddit had the same question (images provided if above was unclear), and it's not really clear why it works when service endpoint is gone: https://www.reddit.com/r/AZURE/comments/13jf933/appservice_to_storage_with_vnet_rules/

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,673 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,287 questions
{count} votes

Accepted answer
  1. JananiRamesh-MSFT 14,996 Reputation points

    @Elmesten, Jonas (KIT) Thanks for reaching out. When you enable a private endpoint on the storage and you want your function connected with storage privately, you can select ‘selected networks’ in the storage firewall instead of ‘all networks’. There’s no need to whitelist the function app VNET because you have exposed your access to storage via a private endpoint. The function’s outbound VNET will connect with the private endpoint (PE) of the storage account using Azure’s private link service of Azure storage.


    A Private Endpoint uses a private link service to connect with resources securely. The traffic goes via the Azure backbone network with a private IP.



    A Service Endpoint is used to connect with Azure resources securely, but the traffic goes via a public route. So, Service Endpoints are not required to be enabled on the subnet when you are connecting to storage privately. If your function app is connecting to storage using a Private Endpoint, you can test this by checking the DNS resolver of the blob endpoint from the function’s Kudu site.


    let me know incase of further queries, I would be happy to assist you.

    0 comments No comments

0 additional answers

Sort by: Most helpful