Subnet NSG rules not applied to Private Link

Question

Hello,

Having created an SQL database, I wanted to add the option to connect to it using a Private IP.
So, I created a Private Endpoint and assigned it to the SQL Server.
So far so good.

I have to restrict the internal connections so that not all of the internal services and instances to be able to connect to that DB.
As I have included the Private Endpoint's interface to a specific subnet, I thought that creating a Network Security Group and assigning that subnet to it would be a good idea.
So, I created the rules, but I notice that they have no effect..
I even set a Deny All rule for Inbound traffic and I am still able to connect internally.

The last thing I tried to do, was to try to enable the private endpoint network policies for that subnet as they seem to be disabled.
I used that documentation: https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy#enable-network-policy-1

The outcome is: "Private endpoint network policies cannot be enabled on private endpoint subnet......."

Does anyone have an idea on this?

Thank you in advance!

Answer 1

Hello @VasilisK ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Earlier NSG was not supported on private endpoints but now it is supported and is in public preview.
Refer : https://azure.microsoft.com/en-us/updates/public-preview-of-private-link-network-security-group-support/

Private Endpoint support for Network Security Groups (NSGs) feature will provide you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature (note that registration time may take up to 15mins).

At this time, Private Link NSG Support is only available in the following regions:
UsEast2Euap, UsCentralEuap, WestCentralUS, WestUS, WestUS2, EastUS, EastUS2, Asiaeast, Australiaeast, Japaneast, Canadacentral, Europenorth, Koreacentral, Brazilsouth, Uksouth, US South, US North, France Central

Managing Private Endpoint Network Policies.
Managing network policies for private endpoints - Azure Private Link | Microsoft Learn

Registering for the feature:
CLI - az feature | Microsoft Learn
Command : az feature register --namespace Microsoft.Network --name AllowPrivateEndpointNSG
PowerShell - Register-AzProviderFeature (Az.Resources) | Microsoft Learn
Command : Register-AzProviderFeature -FeatureName AllowPrivateEndpointNSG -ProviderNamespace Microsoft.Network

After enabling PrivateEndpointNetworkPolicies and registering for Microsoft.Network/AllowPrivateEndpointNSG feature, you will be able to apply NSG on your private endpoints and it will work as applied.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

Is there a date for the support for the other regions? specifically asking for West EU. thanks