Azure Lab 01: Hide Your Public Connection From PaaS To Storage Account

Using PaaS resources in Azure brings convenience to developers such as saving times, concentrating on coding, and etc. However, there is a paradox which convenience and secure might never on the same direction.

Your customers might challenging you by exposing the inter-connection among resources under public networks. For example, You builded a Function App for tracking customers’ information and storing them in to a Blob container (from a Storage Account). Meanwhile, connections invoked by that function uses public domain name to the container, which means those requests might have a great opportunity routing outside.

For security purpose such as ISO/IEC 27001, you may want your resources to co-op privately, however, detail network settings among PaaS services are extreamly hard to find (at least for me, a pure newbie). So this article is my research for connecting PaaS devices such as Azure Function App to a Blob container under private network (and cross region).

Here is the outline, I will inreoduce 2 methods: Service Endpoints and Private Endpoints, help you to protect your connection.


  1. Service Endpoints
  2. Private Endpoints
  3. Additional Information
  4. Conclusion
  5. References