The 403 error when accessing Table storage through the private endpoint because Azure requires separate private endpoints for each service(Blob, File, Table, Queue, etc.) within the same storage account.
This happens because Blob, File, Table, Queue each have their own subdomain in Azure (*.blob.core.windows.net, *.file.core.windows.net, etc.).
Private endpoints are tied to these subdomains individually.
When private access is needed, each subdomain must have its own private endpoint.
Even though they’re under the same storage account, each of these services uses a separate DNS endpoint and requires its own private endpoint for private access.
For Table storage, the endpoint is :
<your-storage-account-name>.table.core.windows.net
In the Azure portal or via the CLI, create a new private endpoint and specify the Table service.
Verify that the DNS name (<your-storage-account-name>.table.core.windows.net) resolves to the private IP address of your new Table private endpoint. If you’re using Azure DNS Private Zones, make sure it includes an entry for this FQDN.
For example, you can verify with:
nslookup <your-storage-account-name>.table.core.windows.net
If it doesn’t resolve to the private IP, update your DNS configuration (such as the private DNS zone link to your VNet).
Once the new private endpoint is in place and DNS resolves correctly, try accessing your Table storage again through your VPN/virtual network. It should now work without requiring public access.
References:
blob,file,table,queue,webanddata lakehave their own endpoints. Also, is DNS correctly configured - i.e. if you try to resolve yourstorageaccountname.table.core.windows.netFQDN to an IP what happens; do you see the public or private IP? Issues here could mean missing records, or misconfiguraiton with DNS VNet integration, DNS conditional forwarders, or similar.