I'm setting up a Storage Account so I can Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS). Doing this to:

1. Have a PV and PVC for the database
2. A place to store the application files

AKS does create a storage account in the MC_<resource-group>_<aks-name>_<region> resource group that is automatically created. However, that storage account is destroyed if the node size/VM is changed (not node count), so it shouldn't be used since you'll lose your files and database if you need a node size/VM with more resources.

This documentation, nor any other I've really come across, says what the best practice is for the Connectivity method:

• Public endpoint (all networks)
• Public endpoint (selected networks)
• Private endpoint

The first option sounds like a bad idea.

The second option allows me to select a virtual network, and there are two choices:

1. MC_<resource-group>_<aks-name>_<region>... again, doesn't seem like a good idea because if the node size/VM is changed, the connection will be broke.
2. aks-vnet-<number>... not sure what this is, but looks like it is part of the previous resource group so will also be destroyed in the previously mentioned scenario.

The third option contains a number of options some of which are included the second option.

So how should I securely set this up for AKS to share files with the application and persist database files?

EDIT

Looking at the both the "Firewalls and virtual networks" and "Private endpoint connections" for the storage account that comes with the AKS node, it looks like it is just setup for "All networks"... so maybe having that were my actual PV and PVC will be stored isn't such an issue...? Could use some clarity on the topic.