Share via

Cant create private endpoint because of subnet delegation

Najam ul Saqib 100 Reputation points
2024-02-09T17:44:12.54+00:00

Hi, I am facing difficulties to disallow public access to my storage account. This account is being accessed by function apps, web apps, and web APIs. What I have tried so far, is that I integrated the web app with the VNet I created, and also configured storage account's networking settings to only accept traffic through this VNet. Then I went on to create a private endpoint, but it said that this subnet has delegation so it cant create private endpoint in it. Deleting delegation means I need to remove VNet integration with web app, as mentioned in: https://learn.microsoft.com/en-us/answers/questions/809744/unable-to-delete-the-delegation-from-subnet

So I am confused how can I achieve this goal, how can I integrate all these services together in a VNet with storage account? I tried creating a VM as well in this VNet so that I can test access to the storage account from the VNet but seems like I cant do so in the same subnet again because it has a delegation.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,757 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,202 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
472 questions
0 comments
Accepted answer
  1. Anand Prakash Yadav 6,705 Reputation points Microsoft Vendor
    2024-02-12T09:05:47.3566667+00:00

    Hello Najam ul Saqib,

    Thank you for posting your query here!

    You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.

    In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.

    Thus, both have their own features and specifications for enabling you to configure according to your own requirements.

    You can only deploy another subnet in your VNet and there create your private link because subnet with existing delegation to an azure service cannot be used for private links.

    Default routing and NSG allows communication within the same VNet.

    Additional information:

    https://learn.microsoft.com/en-us/azure/virtual-network/manage-subnet-delegation?tabs=manage-subnet-delegation-portal

    https://learn.microsoft.com/en-us/azure/virtual-network/subnet-delegation-overview

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more