I have very specific question and hope to get some answers.
Below is my situation,
- I have three VNET.
- VNET1: Has storage account with public access disabled(blob anonymous access disabled). The same VNET has VM
- VNET2: Has VM and VNET1 and VNET2 is peered
- VNET3: Has one VM
Question: When I do nslookup from VM in VNET1 I get private IP address(which is expected). When I do nslookup from VM in VNET2 I get public IP address(which is also expected as per the response I got from another post Azure VNet peering with Private Link). The solution I got is to add VNET link in Private DNS zone.
The real question I have is why I am able to perform all operations(upload blob/create container) from VM IN VNET2 even after getting public IP address for nslookup for storage account?
Also created diagram with my topology as well
Below is my network config for storage account
Update: Adding updated diagram with all resources in resource group.
As per MsDoc
This means that if you previously granted access to a storage account from trusted services, such as Azure services or specific virtual networks and IP addresses, and then later disabled public network access to the storage account, the trusted services and virtual networks the previous configurations for trusted services might still be in effect.
In your case, it seems that the trusted services were granted access to the storage account from VNET2 before you disabled public network access to the storage account. This is why you were still able to access the storage account from VNET2 even though public network access was disabled.