Configure Azure Files Network Endpoints

Here’s a concise summary of the article “Configure network endpoints for accessing Azure file shares.”

Overview

• Azure Files supports two endpoint types for accessing file shares:

  • Public endpoints: reachable over public IPs from anywhere.

  • Private endpoints: exist inside a Virtual Network (VNet) and use private IPs.

• Endpoints are configured on the storage account, which can host file shares and other storage resources.

• The article focuses on configuring storage account endpoints (also relevant for Azure File Sync). Recommended reading: Azure Files networking considerations.

Prerequisites

• An Azure subscription and an existing storage account with an Azure file share.

• Optional tools: Azure PowerShell (latest) or Azure CLI (latest).

• Links: Create an Azure trial account, Create an Azure file share, Install Azure PowerShell, Install Azure CLI.

Endpoint configuration approaches

• Private endpoints (Private Link): create one or more private endpoints on the storage account and restrict/disable public endpoint access. Restricts access to specified VNets. See Private Link cost.

• Service endpoints (restrict public endpoint): keep public endpoint but restrict which VNets/subnets can access it using Microsoft.Storage service endpoint.

Create a private endpoint (what gets created)

• Resources deployed: Private Endpoint resource, a Network Interface (NIC) with a private IP in the chosen subnet, and optionally a private DNS zone (recommended and required for AD principal mounts or REST API).

• Creation can be done via Portal, PowerShell, or Azure CLI. Portal path: Storage account > Networking > Private endpoint connections > + Private endpoint (wizard steps: Basics → Resource (choose "file") → Virtual Network → Tags → Review+Create).

Private endpoint DNS

• Creating/attaching a private DNS zone (privatelink.file.) lets the storage account name resolve to the private IP inside the VNet. Required for mounting with AD user principal or REST API.

• Article provides PowerShell and CLI scripts to:

  • Get storage account / VNet / subnet references.

  • Disable subnet private endpoint network policies.

  • Create private link service connection and the private endpoint.

  • Create or find a private DNS zone and link it to the VNet.

  • Create an A record pointing the storage account name to the private endpoint IP.

Verify connectivity

• From a VM in the VNet (or via DNS forwarding), test DNS resolution for .file.core.chinacloudapi.cn (nslookup / Resolve-DnsName).

• Example outputs show CNAME to storageaccount.privatelink.file... and A record mapping to the private IP.

• CLI examples provided to obtain the host name and run nslookup.

Restrict public endpoint access

• Two options:

  1. Disable public endpoint access entirely (public requests denied; private endpoints still work). In portal: Networking → select "Enabled from selected virtual networks and IP addresses" and configure. PowerShell/CLI examples update the storage account network rule set to DefaultAction=Deny with Bypass=AzureServices (so trusted Microsoft services like Azure File Sync can still access).

  2. Restrict public endpoint to specific VNets using service endpoints:

     • Ensure the target subnet exposes the Microsoft.Storage service endpoint.

     • Add the VNet/subnet to the storage account’s network rules.

     • PowerShell/CLI examples show how to add service endpoints to a subnet and add the subnet rule to the storage account, then set DefaultAction=Deny and Bypass=AzureServices.

See also / links

• Azure Files networking considerations

• Configuring DNS forwarding for Azure Files

• Configuring S2S VPN for Azure Files

Last updated

• 10/16/2025

If you want, I can produce a short checklist of the exact Portal steps for either creating a private endpoint or restricting the public endpoint, or convert the PowerShell/CLI examples into a single runnable script for your environment. Which would you prefer?