The default network routing preference option chosen for storage accounts and most Azure services will be for the Microsoft network. This is ahigh-performance, low-latency global connection to all services within Azure and serves as the fastest delivery service to any consuming service or user. This is due to Microsoft configuring several points of presence within their global network. The closest endpoint to a client is always chosen. This option costs slightly more than traversing the internet. If you selectInternet routing, then traffic will be routed in and out of the storage account outside the Microsoft network.

The following screenshot shows the setting under the Firewall and virtual networks tab on the Networking blade for your storage account:

Figure 7.10 – Storage account routing configuration

You will note there is also an option to publish route-specific endpoints for the storage account. This can be used in scenarios where you might want the default network routing option to be configured for the Microsoft network, while providing internet endpoints or vice versa. These endpoints can be found in the Endpoints section of your storage account, as shown in the following screenshot:

Figure 7.11 – Storage account – Endpoints

From this list, you may copy the endpoints that are required. Now that we have briefly observed the configuration options available for network routing on storage accounts, in the next section, we will explore a PowerShell script for configuring a private endpoint on a storage account.

PowerShell scripts
The following script creates a new private endpoint that is associated with an existing storage account. It is linked to the defined VNet and links to the first subnet within that VNet:

$storageAccount = Get-AzStorageAccount -ResourceGroupName “AZ104-Chapter7” -Name “az104xxxxxxxx”
$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name ‘myConnection’ -PrivateLinkServiceId ($storageAccount.Id)
GroupId ‘file’;
$vnet = Get-AzVirtualNetwork -ResourceGroupName “AZ104-Chapter7” -Name “StorageVNET”

Disable private endpoint network policy

$vnet.Subnets[0].PrivateEndpointNetworkPolicies=”Disabled”
$vnet | Set-AzVirtualNetwork

Create private endpoint

New-AzPrivateEndpoint -ResourceGroupName “AZ104-Chapter7” -Name “myPrivateEndpoint” -Location “westeurope” -Subnet ($vnet.Subnets[0]) -PrivateLinkServiceConnection $privateEndpointConnection

Once this code has been run, you will have successfully created a private endpoint for your storage account. It will be linked to the VNet and subnet you defined. You can navigate to the private endpoint to discover its private IP address, which will be used for internal communication to the service going forward.

Further reading
That brings an end to this section. We have learned about VNet integration for the storage accounts and the different options available. In the next section, we will explore managing access keys.

We encourage you to read up on this topic further by using the following links:

• Configuring firewalls and VNets: https://docs.microsoft.com/en-us/ azure/storage/common/storage-network-security?tabs=azure-portal#change-the-default-network-access-rule
• Private endpoints for your storage accounts: https://docs.microsoft. com/en-us/azure/storage/common/storage-private-endpoints
• Private Link resources: https://docs.microsoft.com/en-us/azure/ private-link/private-endpoint-overview#private-link-resource

Storage access keys
Storage access keys are like passwords for your storage account and Azure generates two of these when you provision your account, being a primary and secondary key. Just like passwords, they need to be changed from time to time to ensure you are not compromised. This practice is referred to as key rotation. In the following section, we will run through an example of how to access your keys and how to renew them.