LinkedInGitHubYouTube

Configure Azure Files Network Endpoints

Summary β€” Configure network endpoints for accessing Azure file shares

Overview

  • Azure Files supports two endpoint types on a storage account:

    • Public endpoints: have a public IP and are reachable from the internet (unless restricted).

    • Private endpoints: created in a virtual network (VNet) with a private IP; traffic remains inside the VNet.

  • A storage account hosts file shares (plus blobs, queues, etc.). Endpoint configuration is applied at the storage account level.

  • The article focuses on configuring storage-account endpoints for direct access to Azure file shares (relevant also for Azure File Sync). It recommends reading Azure Files networking considerations first: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

Applies to

  • SMB and NFS support varies by share type; premium (FileStorage) supports both SMB and NFS. (Original table omitted for brevity β€” see source.)

Prerequisites

  • Azure subscription and an existing storage account/file share.

  • Optional tools: latest Azure PowerShell or Azure CLI (links in original).

Endpoint configuration approaches

  • Option A β€” Private endpoints (recommended to lock down): create one or more private endpoints (Private Link) for the storage account and restrict or disable access via the public endpoint. This ensures only traffic from the chosen VNets can access the file shares. See Private Link cost link in the article.

  • Option B β€” Restrict the public endpoint to specific VNets: use VNet service endpoints so traffic still uses the public IP but is allowed only from specified VNets/subnets.

Create a private endpoint (high level)

  • Creating a private endpoint deploys:

    • A Private Endpoint resource linking the storage account and a NIC.

    • A network interface (NIC) in the chosen subnet containing the private IP.

    • Optionally (but strongly recommended / required for AD principal mounts and REST access) a private DNS zone and A record that map the storage-account name to the private IP.

  • Portal and CLI/PowerShell flows are shown in the article. Key steps:

    • Ensure the private endpoint is created in the same region as the VNet and subnet.

    • Disable private endpoint network policies on the subnet before creating the endpoint.

    • Create a PrivateLink service connection with groupId "file".

    • (Optional/required for AD/REST) Create or attach a private DNS zone (privatelink.file.) to the VNet and add an A record for the storage account pointing to the endpoint private IP.

Verify connectivity

  • From a VM in the VNet (or via DNS forwarding), use nslookup / Resolve-DnsName to confirm the storage account hostname resolves to the privatelink A record and the private IP.

  • Example check: nslookup .file.core.chinacloudapi.cn should resolve to storageaccount.privatelink.file.core.chinacloudapi.cn -> private IP.

Restrict public endpoint access

  • You can limit or disable public endpoint access without affecting private endpoints.

    • Disable all public access: set storage account network rules defaultAction to Deny (powerShell/CLI examples provided). Optionally set Bypass/AzureServices to allow trusted Microsoft services like Azure File Sync.

    • Restrict public endpoint to VNets (service endpoints):

      • Ensure the target subnet exposes the Microsoft.Storage service endpoint.

      • Add the subnet as a virtual network rule on the storage account and set defaultAction to Deny (examples in PowerShell/CLI included).

  • These operations are done in the storage account Networking blade or via the given PowerShell / az CLI commands.

References

  • The article includes full step-by-step examples for Portal, PowerShell, and Azure CLI for:

    • Creating private endpoints, DNS zones and A records.

    • Verifying DNS resolution.

    • Disabling public access and/or restricting the public endpoint using service endpoints and network rules.

  • Related links in the article:

    • Azure Files networking considerations: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

    • Configuring DNS forwarding for Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-networking-dns

    • Configuring S2S VPN for Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-configure-s2s-vpn

Last updated in source: 10/16/2025

If you want, I can produce a condensed checklist of commands and portal steps tailored to either Private Endpoint setup or Service Endpoint (restrict public) setup. Which would you prefer?

PreviousAzure Files customer case studiesNextRedundancy support for SSD Azure file shares

Was this helpful?