5.2.2. Service Endpoint Policies

Service Endpoint Policies restrict which specific resources a subnet can access—even within an allowed service.

Use Case:

• Allow access to only YOUR storage accounts, not all storage accounts
• Prevent data exfiltration to unauthorized accounts

Configuration:

{
  "service": "Microsoft.Storage",
  "serviceResources": [
    "/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account-name}"
  ]
}

⚠️ Exam Trap: Service Endpoint Policies currently only support Azure Storage.