Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network. VNet service endpoint policies provide granular access control to specific service resources over the direct connection of service endpoints. Combined with NSG service tags, this capability provides an additional layer of security for virtual networks, allowing you to connect your VNets securely to access only specific service resources. Currently, you can restrict access to specific Azure storage accounts. Create a service endpoint policy and define the storage accounts that the policy should allow. You can then associate the policy to one or more subnets that have service endpoints associated with Azure Storage.