Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network's private address space to access the Azure services. Traffic destined to Azure resources through service endpoints always stays on the Microsoft Azure backbone network.
In this tutorial, you learn how to:
- Create a virtual network with one subnet
- Add a subnet and enable a service endpoint
- Create an Azure resource and allow network access to it from only a subnet
- Deploy a virtual machine (VM) to each subnet
- Confirm access to a resource from a subnet
- Confirm access is denied to a resource from a subnet and the internet
This tutorial uses the Azure portal. You can also complete it using the Azure CLI or PowerShell.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
- An Azure subscription
Sign in to Azure
Sign in to the Azure portal.
Create a virtual network
From the Azure portal menu, select + Create a resource.
Search for Virtual Network, and then select Create.
On the Basics tab, enter the following information and then select Next: IP Addresses >.
Setting Value Subscription Select your subscription. Resource group Select Create new and enter myResourceGroup. Name Enter myVirtualNetwork. Region Select East US 
On the IP Addresses tab, select the following IP address settings and then select Review + create.
Setting Value IPv4 address space Leave as default. Subnet name Select default and change the subnet name to "Public". Subnet Address Range Leave as default. 
If the validation checks pass, select Create.
Wait for the deployment to finish, then select Go to resource or move on to the next section.
Enable a service endpoint
Service endpoints are enabled per service, per subnet. To create a subnet and enable a service endpoint for the subnet:
If you're not already on the virtual network resource page, you can search for the newly created virtual network in the box at the top of the portal. Enter myVirtualNetwork, and select it from the list.
Select Subnets under Settings, and then select + Subnet, as shown:
On the Add subnet page, enter or select the following information, and then select Save:
Setting Value Name Private Subnet address range Leave as default Service endpoints Select Microsoft.Storage Service endpoint policies Leave default. 0 selected. 
Caution
Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.
Restrict network access for a subnet
By default, all virtual machine instances in a subnet can communicate with any resources. You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet:
In the search box at the top of the Azure portal, search for Network security groups.
On the Network security groups page, select + Create.
Enter or select the following information:
Setting Value Subscription Select your subscription Resource group Select myResourceGroup from the list Name Enter myNsgPrivate Location Select East US Select Review + create, and when the validation check is passed, select Create.
After the network security group is created, select Go to resource or search for myNsgPrivate at the top of the Azure portal.
Select Outbound security rules under Settings and then select + Add.
Create a rule that allows outbound communication to the Azure Storage service. Enter, or select, the following information, and then select Add:
Setting Value Source Select Service Tag Source service tag Select VirtualNetwork Source port ranges * Destination Select Service Tag Destination service tag Select Storage Service Leave default as Custom. Destination port ranges Change to 445. SMB protocol is used to connect to a file share created in a later step. Protocol Any Action Allow Priority 100 Name Rename to Allow-Storage-All 
Create another outbound security rule that denies communication to the internet. This rule overrides a default rule in all network security groups that allows outbound internet communication. Complete steps 6-9 from above using the following values and then select Add:
Setting Value Source Select Service Tag Source service tag Select VirtualNetwork Source port ranges * Destination Select Service Tag Destination service tag Select Internet Service Leave default as Custom. Destination port ranges * Protocol Any Action Change default to Deny. Priority 110 Name Change to Deny-Internet-All 
Create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet from anywhere. The rule overrides a default security rule that denies all inbound traffic from the internet. Remote desktop connections are allowed to the subnet so that connectivity can be tested in a later step. Select Inbound security rules under Settings and then select + Add.
Enter or select the follow values and then select Add.
Setting Value Source Any Source port ranges * Destination Select Service Tag Destination service tag Select VirtualNetwork Service Leave default as Custom. Destination port ranges Change to 3389 Protocol Any Action Allow Priority 120 Name Change to Allow-RDP-All 
Warning
RDP port 3389 is exposed to the Internet. This is only recommended for testing. For Production environments, we recommend using a VPN or private connection.
Select Subnets under Settings and then select + Associate.
Select myVirtualNetwork under Virtual Network and then select Private under Subnets. Select OK to associate the network security group to the select subnet.
Restrict network access to a resource
The steps required to restrict network access to resources created through Azure services, which are enabled for service endpoints will vary across services. See the documentation for individual services for specific steps for each service. The rest of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.
Create a storage account
Select + Create a resource on the upper, left corner of the Azure portal.
Enter "Storage account" in the search bar, and select it from the drop-down menu. Then select Create.
Enter the following information:
Setting Value Subscription Select your subscription Resource group Select myResourceGroup Storage account name Enter a name that is unique across all Azure locations. The name has to between 3-24 characters in length, using only numbers and lower-case letters. Region Select (US) East US Performance Standard Redundancy Locally redundant storage (LRS) 
Select Create + review, and when validation checks have passed, select Create.
Note
The deployment may take a couple of minutes to complete.
After the storage account is created, select Go to resource.
Create a file share in the storage account
Select File shares under Data storage, and then select + File share.
Enter or set the following values for the file share, and then select Create:
Setting Value Name my-file-share Quota Select Set to maximum. Tier Leave as default, Transaction optimized. 
The new file share should appear on the file share page, if not select the Refresh button at the top of the page.
Restrict network access to a subnet
By default, storage accounts accept network connections from clients in any network, including the internet. You can restrict network access from the internet, and all other subnets in all virtual networks (except the Private subnet in the myVirtualNetwork virtual network.) To restrict network access to a subnet:
Select Networking under Settings for your (uniquely named) storage account.
Select Allow access from Selected networks and then select + Add existing virtual network.
Under Add networks, select the following values, and then select Add:
Setting Value Subscription Select your subscription Virtual networks myVirtualNetwork Subnets Private 
Select the Save button to save the virtual network configurations.
Select Access keys under Security + networking for the storage account and select Show keys. Note the value for key1 to use in a later step when mapping the file share in a VM.
Create virtual machines
To test network access to a storage account, deploy a VM to each subnet.
Create the first virtual machine
On the Azure portal, select + Create a resource.
Select Compute, and then Create under Virtual machine.
On the Basics tab, enter or select the following information:
Setting Value Subscription Select your subscription Resource group Select myResourceGroup, which was created earlier. Virtual machine name Enter myVmPublic Region (US) East US Availability options Availability zone Availability zone 1 Image Select an OS image. For this VM Windows Server 2019 Datacenter - Gen1 is selected. Size Select the VM Instance size you want to use Username Enter a user name of your choosing. Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements. Public inbound ports Allow selected ports Select inbound ports Leave default set to RDP (3389) 
On the Networking tab, enter or select the following information:
Setting Value Virtual Network Select myVirtualNetwork. Subnet Select Public. NIC network security group Select Advanced. The portal automatically creates a network security group for you that allows port 3389. You'll need this port open to connect to the virtual machine in a later step. 
Select Review and create, then Create and wait for the deployment to finish.
Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPublic, which should be started.
Create the second virtual machine
Repeat steps 1-5 to create a second virtual machine. In step 3, name the virtual machine myVmPrivate and set NIC network security group to None. In step 4, select the Private subnet.
Select Review and create, then Create and wait for the deployment to finish.
Warning
Do not continue to the next step until the deployment is completed.
Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPrivate, which should be started.
Confirm access to storage account
Once the myVmPrivate VM has been created, go to the overview page of the virtual machine. Connect to the VM by selecting the Connect button and then select RDP from the drop-down.
Select the Download RDP File to download the remote desktop file to your computer.
Open the downloaded rdp file. When prompted, select Connect.
Enter the user name and password you specified when creating the VM. You may need to select More choices, then Use a different account to specify the credentials you entered when you created the VM. For the email field, enter the "Administrator account: username" credentials you specified earlier. Select OK to sign into the VM.
Note
You may receive a certificate warning during the sign-in process. If you receive the warning, select Yes or Continue, to proceed with the connection.
Once signed in, open Windows PowerShell. Using the script below, map the Azure file share to drive Z using PowerShell. Replace
<storage-account-key>and both<storage-account-name>variable with values you supplied and made note of earlier in the Create a storage account steps.$acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credentialPowerShell returns output similar to the following example output:
Name Used (GB) Free (GB) Provider Root ---- --------- --------- -------- ---- Z FileSystem \\mystorage007.file.core.windows.net\my-f...The Azure file share successfully mapped to the Z drive.
Close the remote desktop session to the myVmPrivate VM.
Confirm access is denied to storage account
From myVmPublic:
Enter myVmPublic In the Search resources, services, and docs box at the top of the portal. When myVmPublic appears in the search results, select it.
Repeat steps 1-5 above in Confirm access to storage account for the myVmPublic VM.
After a short wait, you receive a
New-PSDrive : Access is deniederror. Access is denied because the myVmPublic VM is deployed in the Public subnet. The Public subnet doesn't have a service endpoint enabled for Azure Storage. The storage account only allows network access from the Private subnet, not the Public subnet.New-PSDrive : Access is denied At line:1 char:1 + New-PSDrive -Name Z -PSProvider FileSystem -Root "\\mystorage007.file ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception + Fu llyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommandClose the remote desktop session to the myVmPublic VM.
From a local machine:
In the Azure portal, go to the uniquely named storage account you created earlier. For example, mystorage007.
Select File shares under Data storage, and then select the my-file-share you created earlier.
You should receive the following error message:
Note
The access is denied because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.
Clean up resources
When no longer needed, delete the resource group and all resources it contains:
Enter myResourceGroup in the Search box at the top of the portal. When you see myResourceGroup in the search results, select it.
Select Delete resource group.
Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.
Next steps
In this tutorial, you enabled a service endpoint for a virtual network subnet. You learned that you can enable service endpoints for resources deployed from multiple Azure services. You created an Azure Storage account and restricted the network access to the storage account to only resources within a virtual network subnet. To learn more about service endpoints, see Service endpoints overview and Manage subnets.
If you have multiple virtual networks in your account, you may want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.
Feedback
Submit and view feedback for