Service endpoint policies enable you to filter virtual network traffic to specific Azure resources, over service endpoints. If you're not familiar with service endpoint policies, see service endpoint policies overview to learn more.
In this tutorial, you learn how to:
- Create a virtual network.
- Add a subnet and enable service endpoint for Azure Storage.
- Create two Azure Storage accounts and allow network access to it from the subnet in the virtual network.
- Create a service endpoint policy to allow access only to one of the storage accounts.
- Deploy a virtual machine (VM) to the subnet.
- Confirm access to the allowed storage account from the subnet.
- Confirm access is denied to the nonallowed storage account from the subnet.
Prerequisites
Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.
To start Azure Cloud Shell:
| Option |
Example/Link |
| Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. |
 |
| Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. |
 |
| Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. |
 |
To use Azure Cloud Shell:
Start Cloud Shell.
Select the Copy button on a code block (or command block) to copy the code or command.
Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code or command.
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
If you don't have an Azure subscription, create an Azure free account before you begin.
- This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a virtual network and enable service endpoint
Create a virtual network to contain the resources you create in this tutorial.
In the search box in the portal, enter Virtual networks. Select Virtual networks in the search results.
Select + Create to create a new virtual network.
Enter or select the following information in the Basics tab of Create virtual network.
| Setting |
Value |
| Project details |
|
| Subscription |
Select your subscription. |
| Resource group |
Select Create new.
Enter test-rg in Name.
Select OK. |
| Name |
Enter vnet-1. |
| Region |
Select West US 2. |
Select Next.
Select Next.
In the IP addresses tab, in Subnets, select the default subnet.
Enter or select the following information in Edit subnet.
| Setting |
Value |
| Name |
Enter subnet-1. |
| Service Endpoints |
|
| Services |
|
| In the pull-down menu, select Microsoft.Storage. |
|
Select Save.
Select Review + Create.
Select Create.
Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with New-AzResourceGroup. The following example creates a resource group named test-rg:
$rg = @{
ResourceGroupName = "test-rg"
Location = "westus2"
}
New-AzResourceGroup @rg
Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.
$vnet = @{
ResourceGroupName = "test-rg"
Location = "westus2"
Name = "vnet-1"
AddressPrefix = "10.0.0.0/16"
}
$virtualNetwork = New-AzVirtualNetwork @vnet
Create a subnet configuration with New-AzVirtualNetworkSubnetConfig, and then write the subnet configuration to the virtual network with Set-AzVirtualNetwork. The following example adds a subnet named subnet-1 to the virtual network and creates the service endpoint for Microsoft.Storage.
$subnet = @{
Name = "subnet-1"
VirtualNetwork = $virtualNetwork
AddressPrefix = "10.0.0.0/24"
ServiceEndpoint = "Microsoft.Storage"
}
Add-AzVirtualNetworkSubnetConfig @subnet
$virtualNetwork | Set-AzVirtualNetwork
Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with az group create. The following example creates a resource group named test-rg in the westus2 location.
az group create \
--name test-rg \
--location westus2
Create a virtual network with one subnet with az network vnet create.
az network vnet create \
--name vnet-1 \
--resource-group test-rg \
--address-prefix 10.0.0.0/16 \
--subnet-name subnet-1 \
--subnet-prefix 10.0.0.0/24
In this example, a service endpoint for Microsoft.Storage is created for the subnet subnet-1:
az network vnet subnet create \
--vnet-name vnet-1 \
--resource-group test-rg \
--name subnet-1 \
--address-prefix 10.0.0.0/24 \
--service-endpoints Microsoft.Storage
Restrict network access for the subnet
Create a network security group and rules that restrict network access for the subnet.
Create a network security group
In the search box in the portal, enter Network security groups. Select Network security groups in the search results.
Select + Create to create a new network security group.
In the Basics tab of Create network security group, enter, or select the following information.
| Setting |
Value |
| Project details |
|
| Subscription |
Select your subscription. |
| Resource group |
Select test-rg. |
| Name |
Enter nsg-1. |
| Region |
Select West US 2. |
Select Review + Create.
Select Create.
Create network security group rules
In the search box in the portal, enter Network security groups. Select Network security groups in the search results.
Select nsg-1.
Expand Settings. Select Outbound security rules.
Select + Add to add a new outbound security rule.
In Add outbound security rule, enter or select the following information.
| Setting |
Value |
| Source |
Select Service Tag. |
| Source service tag |
Select VirtualNetwork. |
| Source port ranges |
Enter *. |
| Destination |
Select Service Tag. |
| Destination service tag |
Select Storage. |
| Service |
Select Custom. |
| Destination port ranges |
Enter *. |
| Protocol |
Select Any. |
| Action |
Select Allow. |
| Priority |
Enter 100. |
| Name |
Enter allow-storage-all. |
Select Add.
Select + Add to add another outbound security rule.
In Add outbound security rule, enter or select the following information.
| Setting |
Value |
| Source |
Select Service Tag. |
| Source service tag |
Select VirtualNetwork. |
| Source port ranges |
Enter *. |
| Destination |
Select Service Tag. |
| Destination service tag |
Select Internet. |
| Service |
Select Custom. |
| Destination port ranges |
Enter *. |
| Protocol |
Select Any. |
| Action |
Select Deny. |
| Priority |
Enter 110. |
| Name |
Enter deny-internet-all. |
Select Add.
Expand Settings. Select Subnets.
Select Associate.
In Associate subnet, enter or select the following information.
| Setting |
Value |
| Virtual network |
Select vnet-1 (test-rg). |
| Subnet |
Select subnet-1. |
Select OK.
Create network security group security rules with New-AzNetworkSecurityRuleConfig. The following rule allows outbound access to the public IP addresses assigned to the Azure Storage service:
$r1 = @{
Name = "Allow-Storage-All"
Access = "Allow"
DestinationAddressPrefix = "Storage"
DestinationPortRange = "*"
Direction = "Outbound"
Priority = 100
Protocol = "*"
SourceAddressPrefix = "VirtualNetwork"
SourcePortRange = "*"
}
$rule1 = New-AzNetworkSecurityRuleConfig @r1
The following rule denies access to all public IP addresses. The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.
$r2 = @{
Name = "Deny-Internet-All"
Access = "Deny"
DestinationAddressPrefix = "Internet"
DestinationPortRange = "*"
Direction = "Outbound"
Priority = 110
Protocol = "*"
SourceAddressPrefix = "VirtualNetwork"
SourcePortRange = "*"
}
$rule2 = New-AzNetworkSecurityRuleConfig @r2
Create a network security group with New-AzNetworkSecurityGroup. The following example creates a network security group named nsg-1.
$securityRules = @($rule1, $rule2)
$nsgParams = @{
ResourceGroupName = "test-rg"
Location = "westus2"
Name = "nsg-1"
SecurityRules = $securityRules
}
$nsg = New-AzNetworkSecurityGroup @nsgParams
Associate the network security group to the subnet-1 subnet with Set-AzVirtualNetworkSubnetConfig and then write the subnet configuration to the virtual network. The following example associates the nsg-1 network security group to the subnet-1 subnet:
$subnetConfig = @{
VirtualNetwork = $VirtualNetwork
Name = "subnet-1"
AddressPrefix = "10.0.0.0/24"
ServiceEndpoint = "Microsoft.Storage"
NetworkSecurityGroup = $nsg
}
Set-AzVirtualNetworkSubnetConfig @subnetConfig
$virtualNetwork | Set-AzVirtualNetwork
Create a network security group with az network nsg create. The following example creates a network security group named nsg-1.
az network nsg create \
--resource-group test-rg \
--name nsg-1
Associate the network security group to the subnet-1 subnet with az network vnet subnet update. The following example associates the nsg-1 network security group to the subnet-1 subnet:
az network vnet subnet update \
--vnet-name vnet-1 \
--name subnet-1 \
--resource-group test-rg \
--network-security-group nsg-1
Create security rules with az network nsg rule create. The rule that follows allows outbound access to the public IP addresses assigned to the Azure Storage service:
az network nsg rule create \
--resource-group test-rg \
--nsg-name nsg-1 \
--name Allow-Storage-All \
--access Allow \
--protocol "*" \
--direction Outbound \
--priority 100 \
--source-address-prefix "VirtualNetwork" \
--source-port-range "*" \
--destination-address-prefix "Storage" \
--destination-port-range "*"
Each network security group contains several default security rules. The rule that follows overrides a default security rule that allows outbound access to all public IP addresses. The destination-address-prefix "Internet" option denies outbound access to all public IP addresses. The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.
az network nsg rule create \
--resource-group test-rg \
--nsg-name nsg-1 \
--name Deny-Internet-All \
--access Deny \
--protocol "*" \
--direction Outbound \
--priority 110 \
--source-address-prefix "VirtualNetwork" \
--source-port-range "*" \
--destination-address-prefix "Internet" \
--destination-port-range "*"
Restrict network access to Azure Storage accounts
The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. See the documentation for individual services for specific steps for each service. The remainder of this article includes steps to restrict network access for an Azure Storage account, as an example.
Create two storage accounts
In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.
Select + Create to create a new storage account.
In Create a storage account, enter or select the following information.
| Setting |
Value |
| Project details |
|
| Subscription |
Select your subscription. |
| Resource group |
Select test-rg. |
| Instance details |
|
| Storage account name |
Enter allowedaccount(random-number).
Note: The storage account name must be unique. Add a random number to the end of the name allowedaccount. |
| Region |
Select West US 2. |
| Performance |
Select Standard. |
| Redundancy |
Select Locally-redundant storage (LRS). |
Select Next until you reach the Data protection tab.
In Recovery, deselect all of the options.
Select Review + Create.
Select Create.
Repeat the previous steps to create another storage account with the following information.
| Setting |
Value |
| Storage account name |
Enter deniedaccount(random-number). |
Create the allowed Azure storage account with New-AzStorageAccount.
$storageAcctParams = @{
Location = 'westus2'
Name = 'allowedaccount'
ResourceGroupName = 'test-rg'
SkuName = 'Standard_LRS'
Kind = 'StorageV2'
}
New-AzStorageAccount @storageAcctParams
Use the same command to create the denied Azure storage account, but change the name to deniedaccount.
$storageAcctParams = @{
Location = 'westus2'
Name = 'deniedaccount'
ResourceGroupName = 'test-rg'
SkuName = 'Standard_LRS'
Kind = 'StorageV2'
}
New-AzStorageAccount @storageAcctParams
Create two Azure storage accounts with az storage account create.
storageAcctName1="allowedaccount"
az storage account create \
--name $storageAcctName1 \
--resource-group test-rg \
--sku Standard_LRS \
--kind StorageV2
Use the same command to create the denied Azure storage account, but change the name to deniedaccount.
storageAcctName2="deniedaccount"
az storage account create \
--name $storageAcctName2 \
--resource-group test-rg \
--sku Standard_LRS \
--kind StorageV2
Create file shares
In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.
Select allowedaccount(random-number).
Expand the Data storage section and select File shares.
Select + File share.
In New file share, enter or select the following information.
| Setting |
Value |
| Name |
Enter file-share. |
Leave the rest of the settings as default and select Review + create.
Select Create.
Repeat the previous steps to create a file share in deniedaccount(random-number).
Create allowed storage account file share
Use Get-AzStorageAccountKey to get the storage account key for the allowed storage account. You'll use this key in the next step to create a file share in the allowed storage account.
$storageAcctName1 = "allowedaccount"
$storageAcctParams1 = @{
ResourceGroupName = "test-rg"
AccountName = $storageAcctName1
}
$storageAcctKey1 = (Get-AzStorageAccountKey @storageAcctParams1).Value[0]
Create a context for your storage account and key with New-AzStorageContext. The context encapsulates the storage account name and account key.
$storageContext1 = New-AzStorageContext $storageAcctName1 $storageAcctKey1
Create a file share with New-AzStorageShare.
$share1 = New-AzStorageShare file-share -Context $storageContext1
Create denied storage account file share
Use Get-AzStorageAccountKey to get the storage account key for the allowed storage account. You'll use this key in the next step to create a file share in the denied storage account.
$storageAcctName2 = "deniedaccount"
$storageAcctParams2 = @{
ResourceGroupName = "test-rg"
AccountName = $storageAcctName2
}
$storageAcctKey2 = (Get-AzStorageAccountKey @storageAcctParams2).Value[0]
Create a context for your storage account and key with New-AzStorageContext. The context encapsulates the storage account name and account key.
$storageContext2= New-AzStorageContext $storageAcctName2 $storageAcctKey2
Create a file share with New-AzStorageShare.
$share2 = New-AzStorageShare file-share -Context $storageContext2
Create allowed storage account file share
Retrieve the connection string for the storage accounts into a variable with az storage account show-connection-string. The connection string is used to create a file share in a later step.
saConnectionString1=$(az storage account show-connection-string \
--name $storageAcctName1 \
--resource-group test-rg \
--query 'connectionString' \
--out tsv)
Create a file share in the storage account with az storage share create. In a later step, this file share is mounted to confirm network access to it.
az storage share create \
--name file-share \
--quota 2048 \
--connection-string $saConnectionString1 > /dev/null
Create denied storage account file share
Retrieve the connection string for the storage accounts into a variable with az storage account show-connection-string. The connection string is used to create a file share in a later step.
saConnectionString2=$(az storage account show-connection-string \
--name $storageAcctName2 \
--resource-group test-rg \
--query 'connectionString' \
--out tsv)
Create a file share in the storage account with az storage share create. In a later step, this file share is mounted to confirm network access to it.
az storage share create \
--name file-share \
--quota 2048 \
--connection-string $saConnectionString2 > /dev/null
Important
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
Deny all network access to storage accounts
By default, storage accounts accept network connections from clients in any network. To restrict network access to the storage accounts, you can configure the storage account to accept connections only from specific networks. In this example, you configure the storage account to accept connections only from the virtual network subnet you created earlier.
In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.
Select allowedaccount(random-number).
Expand Security + networking and select Networking.
In Firewalls and virtual networks, in Public network access, select Enabled from selected virtual networks and IP addresses.
In Virtual networks, select + Add existing virtual network.
In Add networks, enter or select the following information.
| Setting |
Value |
| Subscription |
Select your subscription. |
| Virtual networks |
Select vnet-1. |
| Subnets |
Select subnet-1. |
Select Add.
Select Save.
Repeat the previous steps to deny network access to deniedaccount(random-number).
Use Update-AzStorageAccountNetworkRuleSet to deny access to the storage accounts except from the virtual network and subnet you created earlier. Once network access is denied, the storage account isn't accessible from any network.
$storageAcctParams1 = @{
ResourceGroupName = "test-rg"
Name = $storageAcctName1
DefaultAction = "Deny"
}
Update-AzStorageAccountNetworkRuleSet @storageAcctParams1
$storageAcctParams2 = @{
ResourceGroupName = "test-rg"
Name = $storageAcctName2
DefaultAction = "Deny"
}
Update-AzStorageAccountNetworkRuleSet @storageAcctParams2
Enable network access only from the virtual network subnet
Retrieve the created virtual network with Get-AzVirtualNetwork and then retrieve the private subnet object into a variable with Get-AzVirtualNetworkSubnetConfig:
$privateSubnetParams = @{
ResourceGroupName = "test-rg"
Name = "vnet-1"
}
$privateSubnet = Get-AzVirtualNetwork @privateSubnetParams | Get-AzVirtualNetworkSubnetConfig -Name "subnet-1"
Allow network access to the storage account from the subnet-1 subnet with Add-AzStorageAccountNetworkRule.
$networkRuleParams1 = @{
ResourceGroupName = "test-rg"
Name = $storageAcctName1
VirtualNetworkResourceId = $privateSubnet.Id
}
Add-AzStorageAccountNetworkRule @networkRuleParams1
$networkRuleParams2 = @{
ResourceGroupName = "test-rg"
Name = $storageAcctName2
VirtualNetworkResourceId = $privateSubnet.Id
}
Add-AzStorageAccountNetworkRule @networkRuleParams2
By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to Deny with az storage account update. Once network access is denied, the storage account isn't accessible from any network.
az storage account update \
--name $storageAcctName1 \
--resource-group test-rg \
--default-action Deny
az storage account update \
--name $storageAcctName2 \
--resource-group test-rg \
--default-action Deny
Enable network access only from the virtual network subnet
Allow network access to the storage account from the subnet-1 subnet with az storage account network-rule add.
az storage account network-rule add \
--resource-group test-rg \
--account-name $storageAcctName1 \
--vnet-name vnet-1 \
--subnet subnet-1
az storage account network-rule add \
--resource-group test-rg \
--account-name $storageAcctName2 \
--vnet-name vnet-1 \
--subnet subnet-1
Apply policy to allow access to valid storage account
You can create a service endpoint policy. The policy ensures users in the virtual network can only access safe and allowed Azure Storage accounts. This policy contains a list of allowed storage accounts applied to the virtual network subnet that is connected to storage via service endpoints.
Create a service endpoint policy
This section creates the policy definition with the list of allowed resources for access over service endpoint.
In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.
Select + Create to create a new service endpoint policy.
Enter or select the following information in the Basics tab of Create a service endpoint policy.
| Setting |
Value |
| Project details |
|
| Subscription |
Select your subscription. |
| Resource group |
Select test-rg. |
| Instance details |
|
| Name |
Enter service-endpoint-policy. |
| Location |
Select West US 2. |
Select Next: Policy definitions.
Select + Add a resource in Resources.
In Add a resource, enter or select the following information:
| Setting |
Value |
| Service |
Select Microsoft.Storage. |
| Scope |
Select Single account |
| Subscription |
Select your subscription. |
| Resource group |
Select test-rg. |
| Resource |
Select allowedaccount(random-number) |
Select Add.
Select Review + Create.
Select Create.
To retrieve the resource ID for the first (allowed) storage account, use Get-AzStorageAccount.
$storageAcctParams1 = @{
ResourceGroupName = "test-rg"
Name = $storageAcctName1
}
$resourceId = (Get-AzStorageAccount @storageAcctParams1).id
To create the policy definition to allow the previous resource, use New-AzServiceEndpointPolicyDefinition .
$policyDefinitionParams = @{
Name = "policy-definition"
Description = "Service Endpoint Policy Definition"
Service = "Microsoft.Storage"
ServiceResource = $resourceId
}
$policyDefinition = New-AzServiceEndpointPolicyDefinition @policyDefinitionParams
Use New-AzServiceEndpointPolicy to create the service endpoint policy with the policy definition.
$sepolicyParams = @{
ResourceGroupName = "test-rg"
Name = "service-endpoint-policy"
Location = "westus2"
ServiceEndpointPolicyDefinition = $policyDefinition
}
$sepolicy = New-AzServiceEndpointPolicy @sepolicyParams
Service endpoint policies are applied over service endpoints. Start by creating a service endpoint policy. Then create the policy definitions under this policy for Azure Storage accounts to be approved for this subnet
Use az storage account show to get the resource ID for the storage account that is allowed.
serviceResourceId=$(az storage account show --name allowedaccount --query id --output tsv)
Create a service endpoint policy
az network service-endpoint policy create \
--resource-group test-rg \
--name service-endpoint-policy \
--location westus2
Create and add a policy definition for allowing the previous Azure Storage account to the service endpoint policy
az network service-endpoint policy-definition create \
--resource-group test-rg \
--policy-name service-endpoint-policy \
--name policy-definition \
--service "Microsoft.Storage" \
--service-resources $serviceResourceId
Associate a service endpoint policy to a subnet
After creating the service endpoint policy, you'll associate it with the target subnet with the service endpoint configuration for Azure Storage.
In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.
Select service-endpoint-policy.
Expand Settings and select Associated subnets.
Select + Edit subnet association.
In Edit subnet association, select vnet-1 and subnet-1.
Select Apply.
Use Set-AzVirtualNetworkSubnetConfig to associate the service endpoint policy to the subnet.
$subnetConfigParams = @{
VirtualNetwork = $VirtualNetwork
Name = "subnet-1"
AddressPrefix = "10.0.0.0/24"
NetworkSecurityGroup = $nsg
ServiceEndpoint = "Microsoft.Storage"
ServiceEndpointPolicy = $sepolicy
}
Set-AzVirtualNetworkSubnetConfig @subnetConfigParams
$virtualNetwork | Set-AzVirtualNetwork
Use az network vnet subnet update to associate the service endpoint policy to the subnet.
az network vnet subnet update \
--vnet-name vnet-1 \
--resource-group test-rg \
--name subnet-1 \
--service-endpoints Microsoft.Storage \
--service-endpoint-policy service-endpoint-policy
Warning
Ensure that all the resources accessed from the subnet are added to the policy definition before associating the policy to the given subnet. Once the policy is associated, only access to the allow listed resources will be allowed over service endpoints.
Ensure that no managed Azure services exist in the subnet that is being associated to the service endpoint policy.
Access to Azure Storage resources in all regions will be restricted as per Service Endpoint Policy from this subnet.
Validate access restriction to Azure Storage accounts
To test network access to a storage account, deploy a VM in the subnet.
Deploy the virtual machine
In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.
In the Basics tab of Create a virtual machine, enter, or select the following information:
| Setting |
Value |
| Project details |
|
| Subscription |
Select your subscription. |
| Resource group |
Select test-rg. |
| Instance details |
|
| Virtual machine name |
Enter vm-1. |
| Region |
Select (US) West US 2. |
| Availability options |
Select No infrastructure redundancy required. |
| Security type |
Select Standard. |
| Image |
Select Windows Server 2022 Datacenter - x64 Gen2. |
| Size |
Select a size. |
| Administrator account |
|
| Username |
Enter a username. |
| Password |
Enter a password. |
| Confirm password |
Enter the password again. |
| Inbound port rules |
|
Select Next: Disks, then select Next: Networking.
In the Networking tab, enter or select the following information.
| Setting |
Value |
| Network interface |
|
| Virtual network |
Select vnet-1. |
| Subnet |
Select subnet-1 (10.0.0.0/24). |
| Public IP |
Select None. |
| NIC network security group |
Select None. |
Leave the rest of the settings as default and select Review + Create.
Select Create.
Create a virtual machine in the subnet-1 subnet with New-AzVM. When running the command that follows, you're prompted for credentials. The values that you enter are configured as the user name and password for the VM.
$vmParams = @{
ResourceGroupName = "test-rg"
Location = "westus2"
VirtualNetworkName = "vnet-1"
SubnetName = "subnet-1"
Name = "vm-1"
}
New-AzVm @vmParams
Create a VM in the subnet-1 subnet with az vm create.
az vm create \
--resource-group test-rg \
--name vm-1 \
--image Win2022Datacenter \
--admin-username azureuser \
--vnet-name vnet-1 \
--subnet subnet-1
Wait for the virtual machine to finish deploying before continuing on to the next steps.
Confirm access to the allowed storage account
Sign-in to the Azure portal.
In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.
Select allowedaccount(random-number).
Expand Security + networking and select Access keys.
Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.
In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.
Select vm-1.
Expand Operations. Select Run command.
Select RunPowerShellScript.
Paste the following script in Run Command Script.
## Enter the storage account key for the allowed storage account that you recorded earlier.
$storageAcctKey1 = (pasted from procedure above)
$acctKey = ConvertTo-SecureString -String $storageAcctKey1 -AsPlainText -Force
## Replace the login account with the name of the storage account you created.
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\allowedaccount"), $acctKey
## Replace the storage account name with the name of the storage account you created.
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\allowedaccount.file.core.windows.net\file-share" -Credential $credential
Select Run.
If the drive map is successful, the output in the Output box looks similar to the following example:
Name Used (GB) Free (GB) Provider Root
---- --------- --------- -------- ----
Z FileSystem \\allowedaccount.file.core.windows.net\fil..
Confirm access is denied to the denied storage account
In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.
Select deniedaccount(random-number).
Expand Security + networking and select Access keys.
Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.
In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.
Select vm-1.
Expand Operations. Select Run command.
Select RunPowerShellScript.
Paste the following script in Run Command Script.
## Enter the storage account key for the denied storage account that you recorded earlier.
$storageAcctKey2 = (pasted from procedure above)
$acctKey = ConvertTo-SecureString -String $storageAcctKey2 -AsPlainText -Force
## Replace the login account with the name of the storage account you created.
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\deniedaccount"), $acctKey
## Replace the storage account name with the name of the storage account you created.
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount.file.core.windows.net\file-share" -Credential $credential
Select Run.
You receive the following error message in the Output box:
New-PSDrive : Access is denied
At line:1 char:1
+ New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount8675 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
+ FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
The drive map is denied because of the service endpoint policy that restricts access to the storage account.
When you finish using the resources that you created, you can delete the resource group and all its resources.
In the Azure portal, search for and select Resource groups.
On the Resource groups page, select the test-rg resource group.
On the test-rg page, select Delete resource group.
Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.
When no longer needed, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains:
$params = @{
Name = "test-rg"
Force = $true
}
Remove-AzResourceGroup @params
When no longer needed, use az group delete to remove the resource group and all of the resources it contains.
az group delete \
--name test-rg \
--yes \
--no-wait
Next steps
In this tutorial, you created a service endpoint policy and associated it to a subnet. To learn more about service endpoint policies, see service endpoint policies overview.
