Merge pull request #96039 from santoshc1/master

Separating connection info into new subsection.

Author: PRMerger20

articles/storage/common/storage-private-endpoints.md

@@ -33,7 +33,7 @@ When you create a private endpoint for a storage service in your VNet, a consent
 Storage account owners can manage consent requests and the private endpoints, through the '*Private Endpoints*' tab for the storage account in the [Azure portal](https://portal.azure.com).
 
 > [!TIP]
-> If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny all access through the public endpoint.
+> If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny or control access through the public endpoint.
 
 You can secure your storage account to only accept connections from your VNet, by [configuring the storage firewall](storage-network-security.md#change-the-default-network-access-rule) to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
 
@@ -55,9 +55,16 @@ For more detailed information on creating a private endpoint for your storage ac
 - [Create a private endpoint using Azure CLI](../../private-link/create-private-endpoint-cli.md)
 - [Create a private endpoint using Azure PowerShell](../../private-link/create-private-endpoint-powershell.md)
 
-### DNS changes for Private Endpoints
+### Connecting to Private Endpoints
+
+Clients on a VNet using the private endpoint should use the same connection string for the storage account, as clients connecting to the public endpoint. When you create a private endpoint, we rely upon DNS resolution to automatically route the connections from the VNet to the storage account over a private link.
 
-Clients on a VNet should use the same connection string for the storage account even when using a private endpoint.
+> [!IMPORTANT]
+> Use the same connection string to connect to the storage account over private endpoints, as you'd use otherwise. Please don't connect to the storage account using its '*privatelink*' subdomain URL.
+
+By default, we create a [private DNS zone](../../dns/private-dns-overview.md) attached to the VNet, with the necessary updates for the private endpoints. However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration. The section on [DNS changes](#dns-changes-for-private-endpoints) below describes the updates required for private endpoints.
+
+### DNS changes for Private Endpoints
 
 When you create a private endpoint, we update the DNS CNAME resource record for that storage endpoint to an alias in a subdomain with the prefix '*privatelink*'. By default, we also create a [private DNS zone](../../dns/private-dns-overview.md) attached to the VNet. This private DNS zone corresponds to the subdomain with the prefix '*privatelink*', and contains the DNS A resource records for the private endpoints.
 
@@ -71,7 +78,7 @@ For the illustrated example above, the DNS resource records for the storage acco
 | ``StorageAccountA.privatelink.blob.core.windows.net`` | CNAME | \<storage service public endpoint\>                   |
 | \<storage service public endpoint\>                   | A     | \<storage service public IP address\>                 |
 
-As previously mentioned, you can deny all access through the public endpoint using the storage firewall.
+As previously mentioned, you can deny or control access for clients outside the VNet through the public endpoint using the storage firewall.
 
 The DNS resource records for StorageAccountA, when resolved by a client in the VNet hosting the private endpoint, will be:
 
@@ -80,10 +87,7 @@ The DNS resource records for StorageAccountA, when resolved by a client in the V
 | ``StorageAccountA.blob.core.windows.net``             | CNAME | ``StorageAccountA.privatelink.blob.core.windows.net`` |
 | ``StorageAccountA.privatelink.blob.core.windows.net`` | A     | 10.1.1.5                                              |
 
-This approach enables access to the storage account **using the same connection string** from the VNet hosting the private endpoints, as well as clients outside the VNet. You can use the storage firewall to deny access to all clients outside the VNet.
-
-> [!IMPORTANT]
-> Use the same connection string to connect to the storage account over private endpoints, as you'd use otherwise. Please don't connect to the storage account using its '*privatelink*' subdomain URL.
+This approach enables access to the storage account **using the same connection string** for clients on the VNet hosting the private endpoints, as well as clients outside the VNet.
 
 > [!TIP]
 > When using a custom or on-premises DNS server, you should configure DNS resource records for private endpoints in a DNS zone corresponding to the 'privatelink' subdomain of the storage service.
@@ -99,6 +103,13 @@ The recommended DNS zone names for private endpoints for storage services are:
 | Table service          | `privatelink.table.core.windows.net` |
 | Static Websites        | `privatelink.web.core.windows.net`   |
 
+#### Resources
+
+For additional guidance on configuring your own DNS server to support private endpoints, refer to the following articles:
+
+- [Name resolution for resources in Azure virtual networks](/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server)
+- [DNS configuration for Private Endpoints](/private-link/private-endpoint-overview#dns-configuration)
+
 ## Pricing
 
 For pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).