Is it possible to route to a private endpoint to private link service fronting security appliances

Zoltan Kovacs 20 Reputation points

Hi everyone - I searched around the various documents and even googled this without any clear answers. If I missed it then apologies :) Long story short I am trying to understand if what I am trying to do is technically possible. I might be trying to do something the services aren't intended for.

I have a VNET with several security appliances (proxy/firewall) per Region with an Azure standard LB.

I have numerous workload VNETs with overlapping CIDRs so cannot peer them to the security VNET. I found the Azure Private Link Service with Private Endpoints to be very similar to the AWS Gateway Load Balancer with VPC Endpoints. However with AWS I can configure my workload VPCs to route ( to the VPC Endpoint which then goes to my security appliances in the security VPC.

I have Azure Private Link Service connected to my Azure Load Balancer that has a backend pool of my appliances. So far so good.

I then create/connect a Private Endpoint in my workload VNETs to the Private Link Service. Those all show up connected, so far so good. For example the private endpoint IP is

In effective routes I see the private endpoint shows up. My security appliances have a "health check" running on a web port and if I try to curl it from a workload in the workload VNET its successful. So far so good.

Now, like in AWS, I want to use the endpoint as a next hop for my default route I create this UDR with next hop I then try to curl some internet resource like or and it doesn't work. I verify in the private resolver metrics that no data in/out. I also enabled private network policy options for routing in the workload subnets that have the endpoints and no change. <-- this my problem. Is this supposed to work and I'm doing something wrong or does Azure NOT support using an endpoint as a next hop in routes by design?

High level diagram below:

User's image

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,129 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 34,606 Reputation points Microsoft Employee

    @Zoltan Kovacs ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know if the nextHop IP of a UDR can be a Private EndPoint or not.

    From the UDR Document, I see ,

    A next hop private IP address must have direct connectivity without having to route through ExpressRoute Gateway or Virtual WAN. Setting the next hop to an IP address without direct connectivity results in an invalid user-defined routing configuration.

    I see there are no specific points about using Private EndPoint as the nextHop of a UDR.

    I shall check internally and update this thread shortly.



0 additional answers

Sort by: Most helpful