Confused about networking around some Azure Saas/Paas services?

Some of the Azure services like Azure storage account (blob, fileshare etc.), Azure Keyvault, Azure Functions Azure databases are standalone applications/services connected to Azure backbone. One could make a private network connection with the help of service endpoints or private endpoints, but that does not mean we host that service inside our VNet.

From the networking point of view, these services can be hosted in the following ways:

1. Public access, with (restricted ip addresses) or without firewall (open to all)
2. Hosted with Service endpoints - Restricted to internal network (via Azure backbone)
3. Hosted with Private endpoints - Restricted to Vnet/Subnet

It's noteworthy to understand that, these services can never be placed inside a Virtual Network like Virtual machines due to their nature of the service. I see many have a wrong understanding around this.