When a Storage account is assigned Private endpoint, do we still need to enable firewalls?

Question

When a Storage account is assigned Private endpoint, and public access to blob container is disabled, is there a need to make it do more secure by enabling firewalls to restrict access only to specific networks/subnets?

Answer 1

@suresh bettadapur Welcome Q&A Forum! Thank you for posting your query here.

When a Storage account is assigned Private endpoint, and public access to blob container is disabled, is there a need to make it do more secure by enabling firewalls to restrict access only to specific networks/subnets? Not required

Using private endpoints for your storage account enables you to:

• Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
• Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
• Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.
• You can secure your storage account to only accept connections from your VNet, by configuring the storage firewall to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

------------------------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.