more updates

normesta · normesta · commit 70b7b6061f15 · 2025-07-09T16:10:25.000-07:00
diff --git a/articles/storage/common/storage-network-security-set-default-access.md b/articles/storage/common/storage-network-security-set-default-access.md
@@ -92,6 +92,9 @@ By default, storage accounts accept connections from clients on any network. You
 
 ---
 
+> [!NOTE]
+> Firewall settings that restrict access to storage services remain in effect for up to a minute after you save settings that allow access.
+
 ## Next steps
 
 - [Azure Storage firewall and virtual network rules](storage-network-security.md)
diff --git a/articles/storage/common/storage-private-endpoints.md b/articles/storage/common/storage-private-endpoints.md
@@ -7,7 +7,7 @@ author: normesta
 
 ms.service: azure-storage
 ms.topic: concept-article
-ms.date: 11/05/2024
+ms.date: 07/08/2025
 ms.author: normesta
 ms.reviewer: santoshc
 ms.subservice: storage-common-concepts
@@ -17,35 +17,35 @@ ms.custom: engagement-fy23
 
 # Use private endpoints for Azure Storage
 
-You can use [private endpoints](../../private-link/private-endpoint-overview.md) for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a [Private Link](../../private-link/private-link-overview.md). The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
+You can use [private endpoints](../../private-link/private-endpoint-overview.md) for your Azure Storage accounts to allow clients on an Azure Virtual Network to securely access data over a [Private Link](../../private-link/private-link-overview.md). The private endpoint uses a separate IP address from the virtual network address space for each storage account service. Network traffic between the clients on the virtual network and the storage account traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
 
 > [!NOTE]
 > Private endpoints are not available for general-purpose v1 storage accounts.   
 
 Using private endpoints for your storage account enables you to:
 
 - Secure your storage account by using a private link. You can manually configure the storage firewall to block connections on the public endpoint of the storage service. Creating a private link does not automatically block connections on the public endpoint.
-- Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
-- Securely connect to storage accounts from on-premises networks that connect to the VNet using [VPN](../../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../../expressroute/expressroute-locations.md) with private-peering.
+- Increase security for the virtual network by enabling you to block exfiltration of data from the virtual network.
+- Securely connect to storage accounts from on-premises networks that connect to the virtual network using [VPN](../../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../../expressroute/expressroute-locations.md) with private-peering.
 
 ## Conceptual overview
 
 ![Overview of private endpoints for Azure Storage](media/storage-private-endpoints/storage-private-endpoints-overview.jpg)
 
-A private endpoint is a special network interface for an Azure service in your [Virtual Network](../../virtual-network/virtual-networks-overview.md) (VNet). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the storage service uses a secure private link.
+A private endpoint is a special network interface for an Azure service in your [Virtual Network](../../virtual-network/virtual-networks-overview.md). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your virtual network and your storage. The private endpoint is assigned an IP address from the IP address range of your virtual network. The connection between the private endpoint and the storage service uses a secure private link.
 
-Applications in the VNet can connect to the storage service over the private endpoint seamlessly, **using the same connection strings and authorization mechanisms that they would use otherwise**. Private endpoints can be used with all protocols supported by the storage account, including REST and SMB.
+Applications in the virtual network can connect to the storage service over the private endpoint seamlessly, **using the same connection strings and authorization mechanisms that they would use otherwise**. Private endpoints can be used with all protocols supported by the storage account, including REST and SMB.
 
 Private endpoints can be created in subnets that use [Service Endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md). Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.
 
-When you create a private endpoint for a storage service in your VNet, a consent request is sent for approval to the storage account owner. If the user requesting the creation of the private endpoint is also an owner of the storage account, this consent request is automatically approved.
+When you create a private endpoint for a storage service in your virtual network, a consent request is sent for approval to the storage account owner. If the user requesting the creation of the private endpoint is also an owner of the storage account, this consent request is automatically approved.
 
 Storage account owners can manage consent requests and the private endpoints through the '*Private endpoints*' tab for the storage account in the [Azure portal](https://portal.azure.com).
 
 > [!TIP]
 > If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny or control access through the public endpoint.
 
-You can secure your storage account to only accept connections from your VNet by [configuring the storage firewall](storage-network-security-set-default-access.md) to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
+You can secure your storage account to only accept connections from your virtual network by [configuring the storage firewall](storage-network-security-set-default-access.md) to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a virtual network that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
 
 > [!NOTE]
 > When copying blobs between storage accounts, your client must have network access to both accounts. So if you choose to use a private link for only one account (either the source or the destination), make sure that your client has network access to the other account. To learn about other ways to configure network access, see [Configure Azure Storage firewalls and virtual networks](storage-network-security.md?toc=/azure/storage/blobs/toc.json).
@@ -78,12 +78,12 @@ For read access to the secondary region with a storage account configured for ge
 
 ## Connecting to a private endpoint
 
-Clients on a VNet using the private endpoint should use the same connection string for the storage account as clients connecting to the public endpoint. We rely upon DNS resolution to automatically route the connections from the VNet to the storage account over a private link.
+Clients on a virtual network using the private endpoint should use the same connection string for the storage account as clients connecting to the public endpoint. We rely upon DNS resolution to automatically route the connections from the virtual network to the storage account over a private link.
 
 > [!IMPORTANT]
 > Use the same connection string to connect to the storage account using private endpoints as you'd use otherwise. Please don't connect to the storage account using its `privatelink` subdomain URL.
 
-By default, We create a [private DNS zone](../../dns/private-dns-overview.md) attached to the VNet with the necessary updates for the private endpoints. However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration. The section on [DNS changes](#dns-changes-for-private-endpoints) below describes the updates required for private endpoints.
+By default, We create a [private DNS zone](../../dns/private-dns-overview.md) attached to the virtual network with the necessary updates for the private endpoints. However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration. The section on [DNS changes](#dns-changes-for-private-endpoints) below describes the updates required for private endpoints.
 
 ## DNS changes for private endpoints
 
@@ -92,31 +92,31 @@ By default, We create a [private DNS zone](../../dns/private-dns-overview.md) at
 
 When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix `privatelink`. By default, we also create a [private DNS zone](../../dns/private-dns-overview.md), corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
 
-When you resolve the storage endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the storage service. When resolved from the VNet hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.
+When you resolve the storage endpoint URL from outside the virtual network with the private endpoint, it resolves to the public endpoint of the storage service. When resolved from the virtual network hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.
 
-For the illustrated example above, the DNS resource records for the storage account 'StorageAccountA', when resolved from outside the VNet hosting the private endpoint, will be:
+For the illustrated example above, the DNS resource records for the storage account 'StorageAccountA', when resolved from outside the virtual network hosting the private endpoint, will be:
 
 | Name                                                  | Type  | Value                                                 |
 | :---------------------------------------------------- | :---: | :---------------------------------------------------- |
 | `StorageAccountA.blob.core.windows.net`             | CNAME | `StorageAccountA.privatelink.blob.core.windows.net` |
 | `StorageAccountA.privatelink.blob.core.windows.net` | CNAME | \<storage service public endpoint\>                   |
 | \<storage service public endpoint\>                   | A     | \<storage service public IP address\>                 |
 
-As previously mentioned, you can deny or control access for clients outside the VNet through the public endpoint using the storage firewall.
+As previously mentioned, you can deny or control access for clients outside the virtual network through the public endpoint using the storage firewall.
 
-The DNS resource records for StorageAccountA, when resolved by a client in the VNet hosting the private endpoint, will be:
+The DNS resource records for StorageAccountA, when resolved by a client in the virtual network hosting the private endpoint, will be:
 
 | Name  | Type | Value |
 | :--- | :---: | :--- |
 | `StorageAccountA.blob.core.windows.net` | CNAME | `StorageAccountA.privatelink.blob.core.windows.net` |
 | `StorageAccountA.privatelink.blob.core.windows.net` | A | `10.1.1.5` |
 
-This approach enables access to the storage account **using the same connection string** for clients on the VNet hosting the private endpoints, as well as clients outside the VNet.
+This approach enables access to the storage account **using the same connection string** for clients on the virtual network hosting the private endpoints, as well as clients outside the virtual network.
 
-If you are using a custom DNS server on your network, clients must be able to resolve the FQDN for the storage account endpoint to the private endpoint IP address. You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `StorageAccountA.privatelink.blob.core.windows.net` with the private endpoint IP address.
+If you are using a custom DNS server on your network, clients must be able to resolve the FQDN for the storage account endpoint to the private endpoint IP address. You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the virtual network, or configure the A records for `StorageAccountA.privatelink.blob.core.windows.net` with the private endpoint IP address.
 
 > [!TIP]
-> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the storage account name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet or by configuring the DNS zone on your DNS server and adding the DNS A records.
+> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the storage account name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the virtual network or by configuring the DNS zone on your DNS server and adding the DNS A records.
 
 The recommended DNS zone names for private endpoints for storage services, and the associated endpoint target sub-resources, are:
 
@@ -142,9 +142,9 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
 
 Keep in mind the following known issues about private endpoints for Azure Storage.
 
-### Storage access constraints for clients in VNets with private endpoints
+### Storage access constraints for clients in virtual networks with private endpoints
 
-Clients in VNets with existing private endpoints face constraints when accessing other storage accounts that have private endpoints. For example, suppose a VNet N1 has a private endpoint for a storage account A1 for Blob storage. If storage account A2 has a private endpoint in a VNet N2 for Blob storage, then clients in VNet N1 must also access Blob storage in account A2 using a private endpoint. If storage account A2 does not have any private endpoints for Blob storage, then clients in VNet N1 can access Blob storage in that account without a private endpoint.
+Clients in virtual networks with existing private endpoints face constraints when accessing other storage accounts that have private endpoints. For example, suppose a virtual network N1 has a private endpoint for a storage account A1 for Blob storage. If storage account A2 has a private endpoint in a virtual network N2 for Blob storage, then clients in virtual network N1 must also access Blob storage in account A2 using a private endpoint. If storage account A2 does not have any private endpoints for Blob storage, then clients in virtual network N1 can access Blob storage in that account without a private endpoint.
 
 This constraint is a result of the DNS changes made when account A2 creates a private endpoint.
 
