As you know, you can protect your Azure Storage account by using shared access signatures and/or restricting from which network the storage account can be access.
The later use the service endpoint Microsoft.Storage you enable on your virtual network and/or subnet.
Well, the use of service endpoint to restrict access to your storage account from specific network/subnet requires both the storage account and the virtual network are hosted within the same Azure region.
Good news, you can now configure this to be from any Azure region.
At first you need to enable the AllowGlobalTagsForStorage feature of the Microsoft.Network service provider.
During the preview this only possible using either PowerShell or Azure Cli.
- PowerShell command to run after authenticating to your Azure tenant and selecting the subscription you want to get it enabled on
Register-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowGlobalTagsForStorage
- Azure Cli command to run after authenticating to your Azure tenant and selecting the subscription you want to get it enabled on
az feature register –namespace Microsoft.Network –name AllowGlobalTagsForStorage
Don’t forget for both option you can use Azure Cloud Shell
That’s it, after that your storage account can be accessed from any virtual network/subnet no matter the hosting region.