Removing some anchors

Author: normesta

articles/storage/common/storage-network-security-overview.md

@@ -24,13 +24,11 @@ By default, storage accounts accept requests over HTTPS only. Any requests made
 
 ## Private endpoints
 
-Where possible, create private links to your storage account to secure access through a *private endpoint*. A private endpoint assigns a private IP address from your virtual network to your storage account. Clients connect to your storage account using the private link. Traffic is routed over the Microsoft backbone network, ensuring it doesn't travel over the public internet. You can fine-tune access rules using [Network policies for private endpoints](../../private-link/disable-private-endpoint-network-policy.md). To permit traffic only from private links, you can block all access over the public endpoint. Private endpoints incur extra costs but provide maximum network isolation.
-
-To learn more about using a private endpoint to secure traffic to your storage account, see [Use private endpoints for Azure Storage](storage-private-endpoints.md).
+Where possible, create private links to your storage account to secure access through a *private endpoint*. A private endpoint assigns a private IP address from your virtual network to your storage account. Clients connect to your storage account using the private link. Traffic is routed over the Microsoft backbone network, ensuring it doesn't travel over the public internet. You can fine-tune access rules using [Network policies for private endpoints](../../private-link/disable-private-endpoint-network-policy.md). To permit traffic only from private links, you can block all access over the public endpoint. Private endpoints incur extra costs but provide maximum network isolation. To learn more, see [Use private endpoints for Azure Storage](storage-private-endpoints.md).
 
 ## Public endpoints
 
-The *public endpoint* of your storage account is accessed through a public IP address. If you block all access over the public endpoint, you disable all traffic to the storage account's public IP address. However, if there are clients that can't access your storage account over a private link, or if you choose not to use private endpoints for cost or other reasons, then you can secure the public endpoint of your storage account by using firewall rules or by adding your storage account to a network security perimeter.
+The *public endpoint* of your storage account is accessed through a public IP address. If you use only private endpoints, then you should disable all traffic to the storage account's public IP address. If some clients use a private link, or you choose not to use private endpoints for cost or other reasons, then you can secure the public endpoint of your storage account by using firewall rules or by adding your storage account to a network security perimeter.
 
 ### Firewall rules
 

articles/storage/common/storage-network-security-trusted-azure-services.md

@@ -13,11 +13,14 @@ ms.author: normesta
 
 # Trusted Azure services
 
+<a id="trusted-microsoft-services"></a>
+
 If you need to enable traffic from an Azure service outside of your network boundary, you can add a *network security exception*. This is useful when an Azure service operates from a network that you can't include in your virtual network or IP network rules. For example, some services might need to read resource logs and metrics in your account. You can allow read access for log files, metrics tables, or both by creating a network rule exception. These services connect to your storage account using strong authentication.
 
 To learn how to add a network security exception, see [Manage Network security exceptions](storage-network-security-manage-exceptions.md).
 
 <a id="trusted-access-based-on-system-assigned-managed-identity"></a>
+<a id="trusted-access-for-resources-registered-in-your-microsoft-entra-tenant"></a>
 
 ### Trusted access for resources registered in your Microsoft Entra tenant
 

articles/storage/common/storage-network-security.md

@@ -50,9 +50,6 @@ The following table describes each type of service endpoint that you can enable
 
 To learn how to configure a virtual network rule and enable service endpoints, see [Create a virtual network rule for Azure Storage](storage-network-security-virtual-networks.md).
 
-<a id="grant-access-from-an-internet-ip-range"></a>
-<a id="managing-ip-network-rules"></a>
-
 ### Access from a paired region
 
 Service endpoints also work between virtual networks and service instances in a [paired region](../../best-practices-availability-paired-regions.md).
@@ -61,6 +58,9 @@ Configuring service endpoints between virtual networks and service instances in
 
 When planning for disaster recovery during a regional outage, create the virtual networks in the paired region in advance. Enable service endpoints for Azure Storage with network rules that grant access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.
 
+<a id="managing-ip-network-rules"></a>
+<a id="grant-access-from-an-internet-ip-range"></a>
+
 ## IP network rules
 
 For clients and services that aren't located in a virtual network, you can enable traffic by creating *IP network rules*. Each IP network rule enables traffic from a specific public IP address range. For example, if a client from an on-premises network needs to access storage data, you can create a rule that includes the public IP address of that client. Each storage account supports up to **400** IP network rules. 
@@ -94,11 +94,7 @@ To learn how to configure a resource instance rule, see [Create a resource insta
 
 <a id="grant-access-to-trusted-azure-services"></a>
 <a id="manage-exceptions"></a>
-<a id="trusted-microsoft-services"></a>
 <a id="exceptions"></a>
-<a id="trusted-access-based-on-system-assigned-managed-identity"></a>
-<a id="trusted-access-based-on-a-managed-identity"></a>
-<a id="trusted-access-for-resources-registered-in-your-microsoft-entra-tenant"></a>
 
 ## Exceptions for trusted Azure services