Create and associate service endpoint policies

Service endpoint policies enable you to filter virtual network traffic to specific Azure resources, over service endpoints. If you're not familiar with service endpoint policies, see service endpoint policies overview to learn more.

In this tutorial, you learn how to:

• Create a virtual network.
• Add a subnet and enable service endpoint for Azure Storage.
• Create two Azure Storage accounts and allow network access to it from the subnet in the virtual network.
• Create a service endpoint policy to allow access only to one of the storage accounts.
• Deploy a virtual machine (VM) to the subnet.
• Confirm access to the allowed storage account from the subnet.
• Confirm access is denied to the nonallowed storage account from the subnet.

Prerequisites

Portal

• An Azure account with an active subscription. You can create an account for free.

PowerShell

• An Azure account with an active subscription. You can create an account for free.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option	Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal.

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

CLI

If you don't have an Azure subscription, create an Azure free account before you begin.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

Create a virtual network and enable service endpoint

Create a virtual network to contain the resources you create in this tutorial.

Portal

1. In the search box in the portal, enter Virtual networks. Select Virtual networks in the search results.

2. Select + Create to create a new virtual network.

3. Enter or select the following information in the Basics tab of Create virtual network.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select Create new. Enter test-rg in Name. Select OK.
   Name	Enter vnet-1.
   Region	Select West US 2.

4. Select Next.

5. Select Next.

6. In the IP addresses tab, in Subnets, select the default subnet.

7. Enter or select the following information in Edit subnet.

   Setting	Value
   Name	Enter subnet-1.
   Service Endpoints
   Services
   In the pull-down menu, select Microsoft.Storage.

8. Select Save.

9. Select Review + Create.

10. Select Create.

PowerShell

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with New-AzResourceGroup. The following example creates a resource group named test-rg:

$rg = @{
    ResourceGroupName = "test-rg"
    Location = "westus2"
}
New-AzResourceGroup @rg

Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.

$vnet = @{
    ResourceGroupName = "test-rg"
    Location = "westus2"
    Name = "vnet-1"
    AddressPrefix = "10.0.0.0/16"
}
$virtualNetwork = New-AzVirtualNetwork @vnet

Create a subnet configuration with New-AzVirtualNetworkSubnetConfig, and then write the subnet configuration to the virtual network with Set-AzVirtualNetwork. The following example adds a subnet named subnet-1 to the virtual network and creates the service endpoint for Microsoft.Storage.

$subnet = @{
    Name = "subnet-1"
    VirtualNetwork = $virtualNetwork
    AddressPrefix = "10.0.0.0/24"
    ServiceEndpoint = "Microsoft.Storage"
}
Add-AzVirtualNetworkSubnetConfig @subnet

$virtualNetwork | Set-AzVirtualNetwork

CLI

Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with az group create. The following example creates a resource group named test-rg in the westus2 location.

az group create \
  --name test-rg \
  --location westus2

Create a virtual network with one subnet with az network vnet create.

az network vnet create \
  --name vnet-1 \
  --resource-group test-rg \
  --address-prefix 10.0.0.0/16 \
  --subnet-name subnet-1 \
  --subnet-prefix 10.0.0.0/24

In this example, a service endpoint for Microsoft.Storage is created for the subnet subnet-1:

az network vnet subnet create \
  --vnet-name vnet-1 \
  --resource-group test-rg \
  --name subnet-1 \
  --address-prefix 10.0.0.0/24 \
  --service-endpoints Microsoft.Storage

Restrict network access for the subnet

Create a network security group and rules that restrict network access for the subnet.

Create a network security group

Portal

1. In the search box in the portal, enter Network security groups. Select Network security groups in the search results.

2. Select + Create to create a new network security group.

3. In the Basics tab of Create network security group, enter, or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Name	Enter nsg-1.
   Region	Select West US 2.

4. Select Review + Create.

5. Select Create.

Create network security group rules

1. In the search box in the portal, enter Network security groups. Select Network security groups in the search results.

2. Select nsg-1.

3. Expand Settings. Select Outbound security rules.

4. Select + Add to add a new outbound security rule.

5. In Add outbound security rule, enter or select the following information.

   Setting	Value
   Source	Select Service Tag.
   Source service tag	Select VirtualNetwork.
   Source port ranges	Enter *.
   Destination	Select Service Tag.
   Destination service tag	Select Storage.
   Service	Select Custom.
   Destination port ranges	Enter *.
   Protocol	Select Any.
   Action	Select Allow.
   Priority	Enter 100.
   Name	Enter allow-storage-all.

6. Select Add.

7. Select + Add to add another outbound security rule.

8. In Add outbound security rule, enter or select the following information.

   Setting	Value
   Source	Select Service Tag.
   Source service tag	Select VirtualNetwork.
   Source port ranges	Enter *.
   Destination	Select Service Tag.
   Destination service tag	Select Internet.
   Service	Select Custom.
   Destination port ranges	Enter *.
   Protocol	Select Any.
   Action	Select Deny.
   Priority	Enter 110.
   Name	Enter deny-internet-all.

9. Select Add.

10. Expand Settings. Select Subnets.

11. Select Associate.

12. In Associate subnet, enter or select the following information.

    Setting	Value
    Virtual network	Select vnet-1 (test-rg).
    Subnet	Select subnet-1.

13. Select OK.

PowerShell

Create network security group security rules with New-AzNetworkSecurityRuleConfig. The following rule allows outbound access to the public IP addresses assigned to the Azure Storage service:

$r1 = @{
    Name = "Allow-Storage-All"
    Access = "Allow"
    DestinationAddressPrefix = "Storage"
    DestinationPortRange = "*"
    Direction = "Outbound"
    Priority = 100
    Protocol = "*"
    SourceAddressPrefix = "VirtualNetwork"
    SourcePortRange = "*"
}
$rule1 = New-AzNetworkSecurityRuleConfig @r1

The following rule denies access to all public IP addresses. The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.

$r2 = @{
    Name = "Deny-Internet-All"
    Access = "Deny"
    DestinationAddressPrefix = "Internet"
    DestinationPortRange = "*"
    Direction = "Outbound"
    Priority = 110
    Protocol = "*"
    SourceAddressPrefix = "VirtualNetwork"
    SourcePortRange = "*"
}
$rule2 = New-AzNetworkSecurityRuleConfig @r2

Create a network security group with New-AzNetworkSecurityGroup. The following example creates a network security group named nsg-1.

$securityRules = @($rule1, $rule2)

$nsgParams = @{
    ResourceGroupName = "test-rg"
    Location = "westus2"
    Name = "nsg-1"
    SecurityRules = $securityRules
}
$nsg = New-AzNetworkSecurityGroup @nsgParams

Associate the network security group to the subnet-1 subnet with Set-AzVirtualNetworkSubnetConfig and then write the subnet configuration to the virtual network. The following example associates the nsg-1 network security group to the subnet-1 subnet:

$subnetConfig = @{
    VirtualNetwork = $VirtualNetwork
    Name = "subnet-1"
    AddressPrefix = "10.0.0.0/24"
    ServiceEndpoint = "Microsoft.Storage"
    NetworkSecurityGroup = $nsg
}
Set-AzVirtualNetworkSubnetConfig @subnetConfig

$virtualNetwork | Set-AzVirtualNetwork

CLI

Create a network security group with az network nsg create. The following example creates a network security group named nsg-1.

az network nsg create \
  --resource-group test-rg \
  --name nsg-1

Associate the network security group to the subnet-1 subnet with az network vnet subnet update. The following example associates the nsg-1 network security group to the subnet-1 subnet:

az network vnet subnet update \
  --vnet-name vnet-1 \
  --name subnet-1 \
  --resource-group test-rg \
  --network-security-group nsg-1

Create security rules with az network nsg rule create. The rule that follows allows outbound access to the public IP addresses assigned to the Azure Storage service:

az network nsg rule create \
  --resource-group test-rg \
  --nsg-name nsg-1 \
  --name Allow-Storage-All \
  --access Allow \
  --protocol "*" \
  --direction Outbound \
  --priority 100 \
  --source-address-prefix "VirtualNetwork" \
  --source-port-range "*" \
  --destination-address-prefix "Storage" \
  --destination-port-range "*"

Each network security group contains several default security rules. The rule that follows overrides a default security rule that allows outbound access to all public IP addresses. The destination-address-prefix "Internet" option denies outbound access to all public IP addresses. The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.

az network nsg rule create \
  --resource-group test-rg \
  --nsg-name nsg-1 \
  --name Deny-Internet-All \
  --access Deny \
  --protocol "*" \
  --direction Outbound \
  --priority 110 \
  --source-address-prefix "VirtualNetwork" \
  --source-port-range "*" \
  --destination-address-prefix "Internet" \
  --destination-port-range "*"

Restrict network access to Azure Storage accounts

The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. See the documentation for individual services for specific steps for each service. The remainder of this article includes steps to restrict network access for an Azure Storage account, as an example.

Create two storage accounts

Portal

1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

2. Select + Create to create a new storage account.

3. In Create a storage account, enter or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Storage account name	Enter allowedaccount(random-number). Note: The storage account name must be unique. Add a random number to the end of the name allowedaccount.
   Region	Select West US 2.
   Performance	Select Standard.
   Redundancy	Select Locally-redundant storage (LRS).

4. Select Next until you reach the Data protection tab.

5. In Recovery, deselect all of the options.

6. Select Review + Create.

7. Select Create.

8. Repeat the previous steps to create another storage account with the following information.

   Setting	Value
   Storage account name	Enter deniedaccount(random-number).

PowerShell

Create the allowed Azure storage account with New-AzStorageAccount.

$storageAcctParams = @{
    Location = 'westus2'
    Name = 'allowedaccount'
    ResourceGroupName = 'test-rg'
    SkuName = 'Standard_LRS'
    Kind = 'StorageV2'
}
New-AzStorageAccount @storageAcctParams

Use the same command to create the denied Azure storage account, but change the name to deniedaccount.

$storageAcctParams = @{
    Location = 'westus2'
    Name = 'deniedaccount'
    ResourceGroupName = 'test-rg'
    SkuName = 'Standard_LRS'
    Kind = 'StorageV2'
}
New-AzStorageAccount @storageAcctParams

CLI

Create two Azure storage accounts with az storage account create.

storageAcctName1="allowedaccount"

az storage account create \
  --name $storageAcctName1 \
  --resource-group test-rg \
  --sku Standard_LRS \
  --kind StorageV2

Use the same command to create the denied Azure storage account, but change the name to deniedaccount.

storageAcctName2="deniedaccount"

az storage account create \
  --name $storageAcctName2 \
  --resource-group test-rg \
  --sku Standard_LRS \
  --kind StorageV2

Create file shares

Portal

1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

2. Select allowedaccount(random-number).

3. Expand the Data storage section and select File shares.

4. Select + File share.

5. In New file share, enter or select the following information.

   Setting	Value
   Name	Enter file-share.

6. Leave the rest of the settings as default and select Review + create.

7. Select Create.

8. Repeat the previous steps to create a file share in deniedaccount(random-number).

PowerShell

Create allowed storage account file share

Use Get-AzStorageAccountKey to get the storage account key for the allowed storage account. You'll use this key in the next step to create a file share in the allowed storage account.

$storageAcctName1 = "allowedaccount"
$storageAcctParams1 = @{
    ResourceGroupName = "test-rg"
    AccountName = $storageAcctName1
}
$storageAcctKey1 = (Get-AzStorageAccountKey @storageAcctParams1).Value[0]

Create a context for your storage account and key with New-AzStorageContext. The context encapsulates the storage account name and account key.

$storageContext1 = New-AzStorageContext $storageAcctName1 $storageAcctKey1

Create a file share with New-AzStorageShare.

$share1 = New-AzStorageShare file-share -Context $storageContext1

Create denied storage account file share

Use Get-AzStorageAccountKey to get the storage account key for the allowed storage account. You'll use this key in the next step to create a file share in the denied storage account.

$storageAcctName2 = "deniedaccount"
$storageAcctParams2 = @{
    ResourceGroupName = "test-rg"
    AccountName = $storageAcctName2
}
$storageAcctKey2 = (Get-AzStorageAccountKey @storageAcctParams2).Value[0]

Create a context for your storage account and key with New-AzStorageContext. The context encapsulates the storage account name and account key.

$storageContext2= New-AzStorageContext $storageAcctName2 $storageAcctKey2

Create a file share with New-AzStorageShare.

$share2 = New-AzStorageShare file-share -Context $storageContext2

CLI

Create allowed storage account file share

Retrieve the connection string for the storage accounts into a variable with az storage account show-connection-string. The connection string is used to create a file share in a later step.

saConnectionString1=$(az storage account show-connection-string \
  --name $storageAcctName1 \
  --resource-group test-rg \
  --query 'connectionString' \
  --out tsv)

Create a file share in the storage account with az storage share create. In a later step, this file share is mounted to confirm network access to it.

az storage share create \
  --name file-share \
  --quota 2048 \
  --connection-string $saConnectionString1 > /dev/null

Create denied storage account file share

Retrieve the connection string for the storage accounts into a variable with az storage account show-connection-string. The connection string is used to create a file share in a later step.

saConnectionString2=$(az storage account show-connection-string \
  --name $storageAcctName2 \
  --resource-group test-rg \
  --query 'connectionString' \
  --out tsv)

Create a file share in the storage account with az storage share create. In a later step, this file share is mounted to confirm network access to it.

az storage share create \
  --name file-share \
  --quota 2048 \
  --connection-string $saConnectionString2 > /dev/null

Deny all network access to storage accounts

By default, storage accounts accept network connections from clients in any network. To restrict network access to the storage accounts, you can configure the storage account to accept connections only from specific networks. In this example, you configure the storage account to accept connections only from the virtual network subnet you created earlier.

Portal

1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

2. Select allowedaccount(random-number).

3. Expand Security + networking and select Networking.

4. In Firewalls and virtual networks, in Public network access, select Enabled from selected virtual networks and IP addresses.

5. In Virtual networks, select + Add existing virtual network.

6. In Add networks, enter or select the following information.

   Setting	Value
   Subscription	Select your subscription.
   Virtual networks	Select vnet-1.
   Subnets	Select subnet-1.

7. Select Add.

8. Select Save.

9. Repeat the previous steps to deny network access to deniedaccount(random-number).

PowerShell

Use Update-AzStorageAccountNetworkRuleSet to deny access to the storage accounts except from the virtual network and subnet you created earlier. Once network access is denied, the storage account isn't accessible from any network.

$storageAcctParams1 = @{
    ResourceGroupName = "test-rg"
    Name = $storageAcctName1
    DefaultAction = "Deny"
}
Update-AzStorageAccountNetworkRuleSet @storageAcctParams1

$storageAcctParams2 = @{
    ResourceGroupName = "test-rg"
    Name = $storageAcctName2
    DefaultAction = "Deny"
}
Update-AzStorageAccountNetworkRuleSet @storageAcctParams2

Enable network access only from the virtual network subnet

Retrieve the created virtual network with Get-AzVirtualNetwork and then retrieve the private subnet object into a variable with Get-AzVirtualNetworkSubnetConfig:

$privateSubnetParams = @{
    ResourceGroupName = "test-rg"
    Name = "vnet-1"
}
$privateSubnet = Get-AzVirtualNetwork @privateSubnetParams | Get-AzVirtualNetworkSubnetConfig -Name "subnet-1"

Allow network access to the storage account from the subnet-1 subnet with Add-AzStorageAccountNetworkRule.

$networkRuleParams1 = @{
    ResourceGroupName = "test-rg"
    Name = $storageAcctName1
    VirtualNetworkResourceId = $privateSubnet.Id
}
Add-AzStorageAccountNetworkRule @networkRuleParams1

$networkRuleParams2 = @{
    ResourceGroupName = "test-rg"
    Name = $storageAcctName2
    VirtualNetworkResourceId = $privateSubnet.Id
}
Add-AzStorageAccountNetworkRule @networkRuleParams2

CLI

By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to Deny with az storage account update. Once network access is denied, the storage account isn't accessible from any network.

az storage account update \
  --name $storageAcctName1 \
  --resource-group test-rg \
  --default-action Deny

az storage account update \
  --name $storageAcctName2 \
  --resource-group test-rg \
  --default-action Deny

Enable network access only from the virtual network subnet

Allow network access to the storage account from the subnet-1 subnet with az storage account network-rule add.

az storage account network-rule add \
  --resource-group test-rg \
  --account-name $storageAcctName1 \
  --vnet-name vnet-1 \
  --subnet subnet-1

az storage account network-rule add \
  --resource-group test-rg \
  --account-name $storageAcctName2 \
  --vnet-name vnet-1 \
  --subnet subnet-1

Apply policy to allow access to valid storage account

You can create a service endpoint policy. The policy ensures users in the virtual network can only access safe and allowed Azure Storage accounts. This policy contains a list of allowed storage accounts applied to the virtual network subnet that is connected to storage via service endpoints.

Create a service endpoint policy

This section creates the policy definition with the list of allowed resources for access over service endpoint.

Portal

1. In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.

2. Select + Create to create a new service endpoint policy.

3. Enter or select the following information in the Basics tab of Create a service endpoint policy.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Name	Enter service-endpoint-policy.
   Location	Select West US 2.

4. Select Next: Policy definitions.

5. Select + Add a resource in Resources.

6. In Add a resource, enter or select the following information:

   Setting	Value
   Service	Select Microsoft.Storage.
   Scope	Select Single account
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Resource	Select allowedaccount(random-number)

7. Select Add.

8. Select Review + Create.

9. Select Create.

PowerShell

To retrieve the resource ID for the first (allowed) storage account, use Get-AzStorageAccount.

$storageAcctParams1 = @{
    ResourceGroupName = "test-rg"
    Name = $storageAcctName1
}
$resourceId = (Get-AzStorageAccount @storageAcctParams1).id

To create the policy definition to allow the previous resource, use New-AzServiceEndpointPolicyDefinition .

$policyDefinitionParams = @{
    Name = "policy-definition"
    Description = "Service Endpoint Policy Definition"
    Service = "Microsoft.Storage"
    ServiceResource = $resourceId
}
$policyDefinition = New-AzServiceEndpointPolicyDefinition @policyDefinitionParams

Use New-AzServiceEndpointPolicy to create the service endpoint policy with the policy definition.

$sepolicyParams = @{
    ResourceGroupName = "test-rg"
    Name = "service-endpoint-policy"
    Location = "westus2"
    ServiceEndpointPolicyDefinition = $policyDefinition
}
$sepolicy = New-AzServiceEndpointPolicy @sepolicyParams

CLI

Service endpoint policies are applied over service endpoints. Start by creating a service endpoint policy. Then create the policy definitions under this policy for Azure Storage accounts to be approved for this subnet

Use az storage account show to get the resource ID for the storage account that is allowed.

serviceResourceId=$(az storage account show --name allowedaccount --query id --output tsv)

Create a service endpoint policy

az network service-endpoint policy create \
  --resource-group test-rg \
  --name service-endpoint-policy \
  --location westus2

Create and add a policy definition for allowing the previous Azure Storage account to the service endpoint policy

az network service-endpoint policy-definition create \
  --resource-group test-rg \
  --policy-name service-endpoint-policy \
  --name policy-definition \
  --service "Microsoft.Storage" \
  --service-resources $serviceResourceId

Associate a service endpoint policy to a subnet

After creating the service endpoint policy, you'll associate it with the target subnet with the service endpoint configuration for Azure Storage.

Portal

1. In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.

2. Select service-endpoint-policy.

3. Expand Settings and select Associated subnets.

4. Select + Edit subnet association.

5. In Edit subnet association, select vnet-1 and subnet-1.

6. Select Apply.

PowerShell

Use Set-AzVirtualNetworkSubnetConfig to associate the service endpoint policy to the subnet.

$subnetConfigParams = @{
    VirtualNetwork = $VirtualNetwork
    Name = "subnet-1"
    AddressPrefix = "10.0.0.0/24"
    NetworkSecurityGroup = $nsg
    ServiceEndpoint = "Microsoft.Storage"
    ServiceEndpointPolicy = $sepolicy
}
Set-AzVirtualNetworkSubnetConfig @subnetConfigParams

$virtualNetwork | Set-AzVirtualNetwork

CLI

Use az network vnet subnet update to associate the service endpoint policy to the subnet.

az network vnet subnet update \
  --vnet-name vnet-1 \
  --resource-group test-rg \
  --name subnet-1 \
  --service-endpoints Microsoft.Storage \
  --service-endpoint-policy service-endpoint-policy

Warning

Ensure that all the resources accessed from the subnet are added to the policy definition before associating the policy to the given subnet. Once the policy is associated, only access to the allow listed resources will be allowed over service endpoints.

Ensure that no managed Azure services exist in the subnet that is being associated to the service endpoint policy.

Access to Azure Storage resources in all regions will be restricted as per Service Endpoint Policy from this subnet.

Validate access restriction to Azure Storage accounts

To test network access to a storage account, deploy a VM in the subnet.

Deploy the virtual machine

Portal

1. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

2. In the Basics tab of Create a virtual machine, enter, or select the following information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-1.
   Region	Select (US) West US 2.
   Availability options	Select No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Windows Server 2022 Datacenter - x64 Gen2.
   Size	Select a size.
   Administrator account
   Username	Enter a username.
   Password	Enter a password.
   Confirm password	Enter the password again.
   Inbound port rules

3. Select Next: Disks, then select Next: Networking.

4. In the Networking tab, enter or select the following information.

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-1 (10.0.0.0/24).
   Public IP	Select None.
   NIC network security group	Select None.

5. Leave the rest of the settings as default and select Review + Create.

6. Select Create.

PowerShell

Create a virtual machine in the subnet-1 subnet with New-AzVM. When running the command that follows, you're prompted for credentials. The values that you enter are configured as the user name and password for the VM.

$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "westus2"
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-1"
    Name = "vm-1"
}
New-AzVm @vmParams

CLI

Create a VM in the subnet-1 subnet with az vm create.

az vm create \
  --resource-group test-rg \
  --name vm-1 \
  --image Win2022Datacenter \
  --admin-username azureuser \
  --vnet-name vnet-1 \
  --subnet subnet-1

Wait for the virtual machine to finish deploying before continuing on to the next steps.

Confirm access to the allowed storage account

1. Sign-in to the Azure portal.

2. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

3. Select allowedaccount(random-number).

4. Expand Security + networking and select Access keys.

5. Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.

6. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

7. Select vm-1.

8. Expand Operations. Select Run command.

9. Select RunPowerShellScript.

10. Paste the following script in Run Command Script.

    ## Enter the storage account key for the allowed storage account that you recorded earlier.
    $storageAcctKey1 = (pasted from procedure above)
    $acctKey = ConvertTo-SecureString -String $storageAcctKey1 -AsPlainText -Force
    ## Replace the login account with the name of the storage account you created.
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\allowedaccount"), $acctKey
    ## Replace the storage account name with the name of the storage account you created.
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\allowedaccount.file.core.windows.net\file-share" -Credential $credential
    

11. Select Run.

12. If the drive map is successful, the output in the Output box looks similar to the following example:

    Name           Used (GB)     Free (GB) Provider      Root
    ----           ---------     --------- --------      ----
    Z                                      FileSystem    \\allowedaccount.file.core.windows.net\fil..
    

Confirm access is denied to the denied storage account

1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

2. Select deniedaccount(random-number).

3. Expand Security + networking and select Access keys.

4. Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.

5. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

6. Select vm-1.

7. Expand Operations. Select Run command.

8. Select RunPowerShellScript.

9. Paste the following script in Run Command Script.

   ## Enter the storage account key for the denied storage account that you recorded earlier.
   $storageAcctKey2 = (pasted from procedure above)
   $acctKey = ConvertTo-SecureString -String $storageAcctKey2 -AsPlainText -Force
   ## Replace the login account with the name of the storage account you created.
   $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\deniedaccount"), $acctKey
   ## Replace the storage account name with the name of the storage account you created.
   New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount.file.core.windows.net\file-share" -Credential $credential
   

10. Select Run.

11. You receive the following error message in the Output box:

    New-PSDrive : Access is denied
    At line:1 char:1
    + New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount8675 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
    + FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
    

12. The drive map is denied because of the service endpoint policy that restricts access to the storage account.

Portal

When you finish using the resources that you created, you can delete the resource group and all its resources.

1. In the Azure portal, search for and select Resource groups.

2. On the Resource groups page, select the test-rg resource group.

3. On the test-rg page, select Delete resource group.

4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

PowerShell

When no longer needed, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains:

$params = @{
    Name = "test-rg"
    Force = $true
}
Remove-AzResourceGroup @params

CLI

When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

az group delete \
    --name test-rg \
    --yes \
    --no-wait

Next steps

In this tutorial, you created a service endpoint policy and associated it to a subnet. To learn more about service endpoint policies, see service endpoint policies overview.