Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Azure Routing Between Private VM and Network Restricted Storage Account Works Despite Service Endpoint Being Deleted and Disabled
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 20%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
grahamschuckman
5
Reputation points
To replicate:
- Attached the Microsoft.Storage service endpoint to the VNet running the private VM
- Restricted public network access to my VNet and subnet on the storage account using the service endpoint
- Confirmed that the effective routes for my private VM's VNIC show the effective routes to the Microsoft.Storage endpoint
- Tested with curl from my private VM to a blob in my storage account and got a 200 and was able to fetch the object
- Confirmed that storage account logs show called IP as the private IP of my VM.
- Deleted the service endpoint from the VNet section
- Service endpoint status on storage account shows as disabled
- Confirmed that effective routes to Microsoft.Storage CIDR ranges are removed from the private VM's VNIC.
- Curl is still successful to the storage account, even hours later.
- Logs still show called IP as the private IP of my VM.
If the service endpoint is removed from my VNet, showing as disabled on the storage account, and the effective routes are removed from my VNIC, how is routing still successful?
This seems like a bit of a security and observability gap.
Azure Virtual Network
{count} vote
-
grahamschuckman 5 Reputation points
2025-10-14T16:48:54.4466667+00:00 This question appears to have been asked previously, but the answer discusses private endpoints which is not the service being used: https://learn.microsoft.com/en-us/answers/questions/1423963/why-i-still-have-access-even-after-removing-servic?source=docs
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator2025-10-14T21:32:11.6733333+00:00 Hello @grahamschuckman,
Thanks for reaching out to Microsoft Q&A.
I understand that you are experiencing an issue where, even after removing the service endpoint, you are still able to access your storage account from a private VM.
Could you please provide the following information to assist with further investigation?
- Is the storage account configured with only service endpoints?
- Did you restart the VM or clear its DNS cache after the service endpoint was removed
- Could you please confirm the public network access settings for the storage account?
- Could there be any NSGs or UDRs that are affecting the traffic flow?
- Are there any firewall rules on the storage account that still allow access from the subnet?
-
grahamschuckman 5 Reputation points
2025-10-16T01:17:22.7766667+00:00 Hello! @Ravi Varma Mudduluru
- Yes, the storage account is only configured with service endpoints.
- Yes, I have restarted the VMs and it is the same result.
- See the screenshot for the public network access settings.
- No, the traffic is flowing normally with default NSGs. That is the problem, traffic should STOP flowing after the service endpoint is deleted from the VNet.
- Yes, the firewall rule still is there but the endpoint shows it is disabled and should not be working.
-
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator
2025-10-16T18:28:05.0233333+00:00 Hello @grahamschuckman,
Could you please check the private message and share me the requested details?
-
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator
2025-10-17T19:42:01.2866667+00:00 Hello @grahamschuckman,
Currently I am doing the lab will update you once it done.
-
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator
2025-11-17T17:49:17.2633333+00:00 Hello @grahamschuckman,
The described behavior is by design. I kindly request that you submit a feature request at https://feedback.azure.com/d365community, where the product team will review and consider it.
-
grahamschuckman 5 Reputation points
2025-11-18T03:38:44.95+00:00 Azure support told me that routes living after the endpoint is disabled is intended and "not a bug" so they asked me to file a feature request instead: https://feedback.azure.com/d365community/idea/d7a7acaf-2fc4-f011-aa43-7c1e52baa666
Sign in to comment
Sign in to answer