Updates.

Author: roygara

articles/storage/elastic-san/elastic-san-configure-private-endpoints.md

@@ -4,13 +4,15 @@ description: Learn how to configure Private Endpoint connections to Azure Elasti
 author: roygara
 ms.service: azure-elastic-san-storage
 ms.topic: how-to
-ms.date: 01/24/2025
+ms.date: 06/09/2025
 ms.author: rogarana
-ms.custom: references_regions, devx-track-azurecli, devx-track-azurepowershell
+ms.custom: devx-track-azurecli, devx-track-azurepowershell
 ---
 
 # Configure Private Endpoints for Azure Elastic SAN
 
+A private endpoint allows you to connect to your Elastic SAN volume group over a private IP address within your virtual network. When you use a private endpoint, traffic between your virtual network and the Elastic SAN remains entirely on Azure’s private backbone, without traversing the public internet. Once a private endpoint is configured and approved, access is granted automatically to the subnet where it resides. This configuration provides strong network isolation and is ideal for production or security-sensitive workloads. 
+
 This article covers configuring your Elastic SAN volume group to use Private Endpoints.
 
 ## Prerequisites
@@ -19,13 +21,7 @@ This article covers configuring your Elastic SAN volume group to use Private End
 - If you're using Azure CLI, install the [latest version](/cli/azure/install-azure-cli)
 - Once you've installed the latest version, run `az extension add -n elastic-san` to install the extension for Elastic SAN
 
-## Access via Private Endpoint 
-
-A private endpoint allows you to connect to your Elastic SAN volume group over a private IP address within your virtual network. When you use a private endpoint, traffic between your virtual network and the Elastic SAN remains entirely on Azure’s private backbone, without traversing the public internet. This setup provides strong network isolation and is typically recommended for production or security-sensitive workloads. 
-
-Once a private endpoint is configured and approved, access is granted automatically to the subnet where it resides. If you're using Elastic SAN as a datastore for Azure VMware Solution, a private endpoint is required. 
-
-### Configure a private endpoint
+## Configure a private endpoint
 
 There are two steps involved in configuring a private endpoint connection:
 

articles/storage/elastic-san/elastic-san-configure-service-endpoints.md

@@ -11,6 +11,9 @@ ms.custom: references_regions, devx-track-azurecli, devx-track-azurepowershell
 
 # Configure service endpoints for Azure Elastic SAN
 
+A service endpoint enables secure connectivity to Elastic SAN from a subnet within your virtual network, without requiring a private IP. Virtual network service endpoints are public and accessible via the internet. You can [Configure virtual network rules](#configure-virtual-network-rules) to control access to your volume group when using storage service endpoints.
+To use a service endpoint, you must configure [Network Policies](../../private-link/disable-private-endpoint-network-policy.md) on your Elastic SAN volume group to allow traffic from specific subnets. These network rules apply only to the public endpoint of the volume group — they are not used for private endpoints. In other words, traffic from a subnet using a service endpoint must be explicitly permitted through a configured rule at the volume group level.Once network access is configured for a volume group, the configuration is inherited by all volumes belonging to the group. 
+
 This article configures service endpoint connections to your Elastic SAN.
 
 ## Prerequisites
@@ -19,12 +22,6 @@ This article configures service endpoint connections to your Elastic SAN.
 - If you're using Azure CLI, install the [latest version](/cli/azure/install-azure-cli).
 - Once you've installed the latest version, run `az extension add -n elastic-san` to install the extension for Elastic SAN.
 
-## Access via Service Endpoint:  
-
-A service endpoint enables secure connectivity to Elastic SAN from a subnet within your virtual network, without requiring a private IP. Virtual network service endpoints are public and accessible via the internet. You can [Configure virtual network rules](#configure-virtual-network-rules) to control access to your volume group when using storage service endpoints.
-To use a service endpoint, you must configure [Network Policies](../../private-link/disable-private-endpoint-network-policy.md) on your Elastic SAN volume group to allow traffic from specific subnets. These network rules apply only to the public endpoint of the volume group — they are not used for private endpoints. In other words, traffic from a subnet using a service endpoint must be explicitly permitted through a configured rule at the volume group level.Once network access is configured for a volume group, the configuration is inherited by all volumes belonging to the group. 
-
-
 ## Configure public network access
 
 You enable public Internet access to your Elastic SAN endpoints at the SAN level. Enabling public network access for an Elastic SAN allows you to configure public access to individual volume groups over storage service endpoints. By default, public access to individual volume groups is denied even if you allow it at the SAN level. You must explicitly configure your volume groups to permit access from specific IP address ranges and virtual network subnets.
@@ -71,7 +68,7 @@ To configure an Azure Storage service endpoint from the virtual network where ac
 Virtual network service endpoints are public and accessible via the internet. You can [Configure virtual network rules](#configure-virtual-network-rules) to control access to your volume group when using storage service endpoints. 
 
 > [!NOTE]
-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, though they can be viewed in the portal.
+> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, they can only be viewed in the portal.
 
 ### [Portal](#tab/azure-portal)
 
@@ -129,9 +126,9 @@ All incoming requests for data over a service endpoint are blocked by default. O
 You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI.
 
 > [!IMPORTANT]
-> If you want to enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Microsoft Entra tenants.
+> To enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal doesn't show subnets in other Microsoft Entra tenants.
 >
-> If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
+> If you delete a subnet that has been included in a network rule, its removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
 
 ### [Portal](#tab/azure-portal)