Service Endpoints are a new feature that allows for restricting access to Azure Services to Virtual Networks. By doing this you can remove public internet access to resources. Another benefit of Service Endpoints, is that traffic is automatically routed to the service when it is enabled. This greatly simplifies the design and implementation by removing requirements for User Defined Routes, in cases where force tunnelling is enabled to route all traffic back on-premises.
Configuring a Virtual Network for Service Endpoints
Service Endpoints are enabled on a VNET/Subnet level. You must enable each VNET/Subnet you want to be granted access to the endpoint.
Configuring a Storage Account to allow access from Virtual Network
Enabling a Storage Account for Service Endpoint can be done when the Storage Accounts is first created by enabling the “Virtual Networks” option and specifying the VNET/Subnet required.
For existing Storage Accounts, this can be enabled by adding virtual network access.
Allow access from on-premises networks
By default access is not allowed from on-premises networks, you can allow access by adding the Public IP address from on-premises or ExpressRoute in the Firewall section.