Content Comparison

...

...

Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to inbound access only (App Service Access restrictions - Azure App Service | Microsoft Learn). (The ability to restrict access to your web app from an Azure virtual network uses service endpoints. With service endpoints, you can restrict access to a multitenant service from selected subnets (Azure App Service access restrictions - Azure App Service | Microsoft Learn).
Virtual Network Integration : It gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Iy is used only to make outbound calls from your app into your virtual network. For inbound private access, we need to refer to private endpoints and so, we need to deploy the ap behind private endpoint (Connect privately to an App Service apps using private endpoint - Azure App Service | Microsoft Learn | Azure App Service access restrictions - Azure App Service | Microsoft Learn)

...

To prevent data exfiltration or the risk of malicious program implantation, we can control the outbound traffic with Azure Firewall. By default, App Service can make outbound request to the public Internet. As our App Service is integrated with Azure VNet, we can control the outbound traffic with Network Security Group to a limited extend (such as target IP address, Port and Protocol) : App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn

Require Secure Transfer during the creation of the ressource Storage Account. So, a call to an Azure Storage REST API operation must be made over HTTPS.
Configuration of Firewalls and Virtual Networks : There are 2 configurations to take account…
1. Configure access from on-premise networks : Configure Azure Storage firewalls and virtual networks | Microsoft Learn
  To allow access to your service resources, you must allow these public IP addresses in the firewall setting for resource IPs (Azure ExpressRoute, VPN).
2. Configure access from Other Azure Services / Azure Ressources : Configure Azure Storage firewalls and virtual networks | Microsoft Learn
  We can control access to Storage Account over network endpoints, from selected virtual network subnets using private endpoints and not using service endpoints. Virtual Network Service Endpoints are public and accessible via Internet and we don’t want that. On the other side, Virtual Network Private Endpoints use a private IP address to access the Storage Account over the Microsoft backbone network.

...

Info
When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix `privatelink`. By default, we also create a private DNS zone, corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints : Use private endpoints - Azure Storage \| Microsoft Learn

Finally, we have to configure Network Routing when we use Azure Private Endpoints : Network routing preference - Azure Storage | Microsoft Learn
1. For traffic flowing to private endpoints, you can add a rule to route that traffic through your Network Virtual Appliance (NVA). You can reuse that rule across all your spokes, Virtual Private Network (VPN) gateways, and Azure ExpressRoute gateways : Azure Private Link in a hub-and-spoke network - Azure Architecture Center | Microsoft Learn
2. We may need to inspect or block traffic from clients to the services exposed via private endpoints : Azure Firewall scenarios to inspect traffic destined to a private endpoint - Azure Private Link | Microsoft Learn

...

Versions Compared