Share via

Storage Account Private Endpoint NSG Usage

Gilad Sharabi 0 Reputation points
2026-01-09T08:25:01.0033333+00:00

Hello all!

I have the following scenario

  • Create one VNET with 2 subnets
  • Subnet A 10.0.0.0/24 Subnet B 10.0.1.0/24
  • Subnet A has a VM and Subnet B has a PE for a storage account.
  • Storage account has public access disabled and when i nslookup the storage URL i see it indeed resolves to the private IP of 10.0.1.4
  • In Subnet B where the PE is i enabled that NSGs + UDRs will apply on PEs
  • I created an NSG and associated it to Subnet B in order to see that i can block traffic to the PE
  • Rule in NSG is block all traffic from Subnet A.

When i log into the VM and run  az storage blob download to download a file for some reason it works. the NSG blocks the full subnet and NSG is enabled on the subnet level to apply on PEs.

I created a VM in subnet B where the PE is to verify that indeed traffic cannot reach it from subnet A and indeed it does not. for some reason the NSG is not blocking traffic to the PE.

Documentation is very confusing around this as to me it clearly states that this should work.

Would love some clarification and assistance thank you!

Azure Private Link
Azure Private Link

An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator
    2026-01-09T12:48:06.96+00:00

    Hi @ Gilad Sharabi,

    Welcome to Microsoft Q&A Platform.

    If a Private Endpoint is deployed in a subnet and you want to manage traffic using Network Security Groups or User-Defined Routes , network policies must be enabled on the Private Endpoint subnet.

    By default, network policies are disabled for subnets that contain Private Endpoints. To use network policies such as NSG or UDR support, network policy support must be explicitly enabled on the subnet. This setting applies only to Private Endpoints in the subnet and affects all Private Endpoints deployed within it.

    Network policies can be enabled for:

    • Network Security Groups only
    • User-Defined Routes only

    If network policies are not enabled on the Private Endpoint subnet, NSG and UDR rules will not be evaluated for Private Endpoint traffic.

    Network security groups (NSGs) support for private endpoints is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

    Please verify whether network policies are enabled on the Private Endpoint subnet. If not, enable them and re-test the connectivity.

    The following examples describe how to enable and disable network policies on the PE Subnet.: Manage network policies for private endpoints

    I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.