Allow internal access to a storage account in any regions from any Microsoft.Storage service endpoint without needing public internet access
Currently Microsoft has confirmed to me that it is only possible to access storage accounts hosted in a specific location from an Azure VM via the Microsoft.Storage service endpoint without internet access but only if the VM is located in either the primary or secondary (backup replication site) storage account location.
For example, if I create a blob container in US East 2 (secondary replication location: Central US) I will be able to access a blob (ex. https://someblobname.blob.core.windows.net/somefolder/someblob.txt) from a US East 2 or Central US VM via the storage service endpoint attached to the VMs VNet. However, I will not be able to access the blob from a VM in any other location, like UK South, which also has the storage service endpoint attached to its VNet without public internet access. If it try I get a 404 response.
Granting public internet access to VMs adds unnecessary risk and exposure just to reach an internal blob container in a different location and should be avoided at all costs. For my subscription I do not even enable public IP assignment to new VMs.
Microsoft should focus on making internal Azure services fully accessible from any Azure location without requiring public internet access for customers with very sensitive applications which are not internet facing.
Without this capability I would have to manually replicate blobs to storage accounts in other regions which creates file fragmentation and carries a lot of overhead.
Not having this feature forces me to have storage in the same region as the VM without the public internet access. Having this feature will save us from replicating storage accounts as well as not force us to expose the VM through internet traffic.