Hello Noushad Karuthadath,
Thank you for posting your query here!
Adding on to the previous response:
On-prem to Azure Storage: Yes, if your Azure storage account is set to accept traffic from anywhere and there is no private link, your data transfer from on-prem to the Azure storage account will go over the internet to the public endpoint of the storage account.
If you implement a private endpoint for your Azure Storage Account, you can extend your on-prem network into Azure via the VPN and route all traffic to the storage account through this secure, private connection. This means that any data transferred from your on-premises infrastructure to the Azure Storage would not traverse the public internet, significantly enhancing security.
Azure VM to Azure Storage in the Same Region: If private endpoints are not used, the Azure VM will connect to the storage account's public endpoint. However, even though it's a public endpoint, the traffic between the Azure VM and the storage account, when both are in the same region, typically remains within Microsoft's Azure internal network, not traversing the public internet. This setup leverages the Azure network, optimizing for security and performance within the same regional infrastructure.
Using private endpoints for the storage account ensures that all access from Azure VMs within the same region (or even different regions if configured) occurs over Azure’s private network. This setup restricts access to the storage account to only those resources within your Azure network, mitigating exposure to potential external threats and breaches.
What is a private endpoint? - Azure Private Link | Microsoft Learn
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.