diff --git a/src/deploy-cromwell-on-azure/Deployer.cs b/src/deploy-cromwell-on-azure/Deployer.cs
index fbe535446..83639de96 100644
--- a/src/deploy-cromwell-on-azure/Deployer.cs
+++ b/src/deploy-cromwell-on-azure/Deployer.cs
@@ -1293,8 +1293,6 @@ private Task AssignVmAsContributorToAppInsightsAsync(IIdentity managedIdentity,
 
                     vnetDefinition = vnetDefinition.DefineSubnet(configuration.BatchSubnetName)
                         .WithAddressPrefix(configuration.BatchNodesSubnetAddressSpace)
-                        .WithAccessFromService(ServiceEndpointType.MicrosoftStorage)
-                        .WithAccessFromService(ServiceEndpointType.MicrosoftSql)
                         .Attach();
 
                     var vnet = await vnetDefinition.CreateAsync();
@@ -1303,10 +1301,7 @@ private Task AssignVmAsContributorToAppInsightsAsync(IIdentity managedIdentity,
                     // Use the new ResourceManager sdk to add the ACR service endpoint since it is absent from the fluent sdk.
                     var armBatchSubnet = (await armClient.GetSubnetResource(new ResourceIdentifier(batchSubnet.Inner.Id)).GetAsync()).Value;
 
-                    armBatchSubnet.Data.ServiceEndpoints.Add(new ServiceEndpointProperties()
-                    {
-                        Service = "Microsoft.ContainerRegistry",
-                    });
+                    AddServiceEndpointsToSubnet(armBatchSubnet.Data);
 
                     await armBatchSubnet.UpdateAsync(Azure.WaitUntil.Completed, armBatchSubnet.Data);
 
@@ -1825,20 +1820,7 @@ private Task<string> UpdateVnetWithBatchSubnet()
                         AddressPrefix = configuration.BatchNodesSubnetAddressSpace,
                     };
 
-                    batchSubnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
-                    {
-                        Service = "Microsoft.Storage",
-                    });
-
-                    batchSubnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
-                    {
-                        Service = "Microsoft.Sql",
-                    });
-
-                    batchSubnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
-                    {
-                        Service = "Microsoft.ContainerRegistry",
-                    });
+                    AddServiceEndpointsToSubnet(batchSubnet);
 
                     vnetData.Subnets.Add(batchSubnet);
                     var updatedVnet = (await vnetCollection.CreateOrUpdateAsync(Azure.WaitUntil.Completed, vnetData.Name, vnetData)).Value;
@@ -1846,6 +1828,29 @@ private Task<string> UpdateVnetWithBatchSubnet()
                     return (await updatedVnet.GetSubnetAsync(configuration.DefaultBatchSubnetName)).Value.Id.ToString();
                 });
 
+        private void AddServiceEndpointsToSubnet(SubnetData subnet)
+        {
+            subnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
+            {
+                Service = "Microsoft.Storage.Global",
+            });
+
+            subnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
+            {
+                Service = "Microsoft.Sql",
+            });
+
+            subnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
+            {
+                Service = "Microsoft.ContainerRegistry",
+            });
+
+            subnet.ServiceEndpoints.Add(new ServiceEndpointProperties()
+            {
+                Service = "Microsoft.KeyVault",
+            });
+        }
+
         private async Task ValidateVmAsync()
         {
             var computeSkus = (await generalRetryPolicy.ExecuteAsync(() =>