LinkedInGitHubYouTube

Configure Azure Files Network Endpoints

This article explains how to configure network endpoints on an Azure storage account to control access to Azure file shares. It covers the two endpoint types, options for restricting access, how to create and verify private endpoints, and how to restrict or disable public endpoint access (including using service endpoints to limit the public endpoint to specific virtual networks).

Key points

  • Endpoint types

    • Public endpoints: have a public IP and are reachable from the internet.

    • Private endpoints: created inside a virtual network (VNet) and have a private IP from that VNet.

  • Scope

    • Endpoints are configured on the storage account that contains file shares.

    • Much of the guidance also applies to Azure File Sync interaction with storage endpoints.

    • Recommended pre-read: Azure Files networking considerations:

      • https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

  • Two main approaches to restrict access to storage accounts

    1. Use Private Link (private endpoints) and restrict or disable public endpoint access. This ensures access only from the VNets where private endpoints exist. See Private Link pricing: https://azure.cn/pricing/details/private-link/

    2. Use service endpoints to restrict the storage account’s public endpoint to specific VNets/subnets. This still uses the public IP but limits where requests can originate.

Create a private endpoint (high-level)

  • What deploying a private endpoint creates:

    • Private endpoint resource (links storage account and NIC).

    • Network interface (NIC) with a private IP inside the chosen subnet.

    • Optional / recommended private DNS zone and an A record that maps the storage account name to the private IP. DNS is required for mounts using AD service principals or for REST access.

  • Ways to create: Portal, PowerShell, or Azure CLI (the article provides example commands/scripts for each).

  • Key steps (CLI/PowerShell examples provided in the article):

    • Get references to the storage account, VNet, and subnet.

    • Disable private endpoint network policies on the subnet.

    • Create a Private Link service connection (groupId "file") and then the private endpoint.

    • Create or attach a private DNS zone for the privatelink file suffix (e.g., privatelink.file.core.chinacloudapi.cn) and add an A record for the storage account name pointing to the private endpoint IP.

Verify connectivity

  • From a VM in the VNet (or via properly configured DNS forwarding), confirm DNS resolves storageaccount.file. to the privatelink name and private IP:

    • nslookup .file.core.chinacloudapi.cn

    • Resolve-DnsName on PowerShell

    • CLI examples are provided; expected output shows the privatelink CNAME and the private A record.

Restrict public endpoint access

  • You can disable or restrict the storage account public endpoint while keeping private endpoints functioning.

  • Disable public endpoint access:

    • In the portal: set Networking to "Enabled from selected virtual networks and IP addresses" and choose to deny general public access. Optionally allow “Azure services on the trusted services list” to bypass for Microsoft first-party services (e.g., Azure File Sync).

    • PowerShell / CLI examples: update the storage account network rule set with DefaultAction = Deny and Bypass = AzureServices.

  • Restrict public endpoint to specific VNets using service endpoints:

    • Ensure target subnet has the Microsoft.Storage service endpoint enabled.

    • Add the subnet as a virtual network rule on the storage account and set DefaultAction = Deny (examples shown for portal, PowerShell, and CLI).

    • This allows VNet-originating traffic to reach the public endpoint while blocking other sources.

References (from the article)

  • Create Azure file share: https://docs.azure.cn/en-us/storage/files/storage-how-to-create-file-share

  • Azure Files networking considerations: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

  • Configuring DNS forwarding for Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-networking-dns

  • Azure File Sync firewall/proxy guidance: https://docs.azure.cn/en-us/storage/file-sync/file-sync-firewall-and-proxy

Last updated in the original article: 10/16/2025

If you want, I can produce:

  • A short step-by-step quickstart (portal / CLI / PowerShell) for creating a private endpoint and private DNS zone, or

  • A condensed checklist for securing a storage account (private endpoint, DNS, public endpoint disablement, service endpoint setup). Which would you prefer?

PreviousConfigure Azure Files Network EndpointsNextOn-premises NAS migration to Azure File Sync

Was this helpful?