...
We can combine this with resource firewalls if we want to lock down storage accounts (allow/deny traffic) and make only accessible across Microsoft Backbone and so, we can remove public internet access.
...
Private Link
It’s similar to VNet Peering and we are not going over the public internet. IT’s going over that Microsoft Backbone and it’s going to proxy and provide secure connectivity across to a given resource within Azure.
We can get more granular security - we can configure connectivity to specific resources (not a whole resource type).
...
Connectivity is possible with our on-premises infra; Connectivity is possible from peered virtual networks.