Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions
Private Link UDR Support
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 76%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
André van der Goes
1
Reputation point
I have two questions related to the subject of 'Private Link UDR Support'.
The first and perhaps most important one: Is this currently still in Public Preview or has it been upgraded to GA? Because all the documentation still states it is in Public Preview. However, if I create a private endpoint through the portal this is no longer disabling the 'privateEndpointNetworkPolicies' but as default leaves it enabled. To be clear, this is in subscriptions where the feature 'Microsoft.Network/AllowPrivateEndpointNSG' is not registered.
It is also possible to deploy private endpoints through bicep/ARM templates without disabling this policy (Unless my memory deceives me, before you had to disable the policy or the deployment would fail).
The documentation states that because the feature is in preview, this is not covered by SLA. But if that is the case it should not be enabled by default?
https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
The second question is for clarification on how the UDRs work in combination with private endpoints. What I can find in the documentation is that pep still do not follow UDR and the preview just relates to routes to the PEP (overriding the interfaceEnpoint routes).
However, when testing this out with 'privateEndpointNetworkPolicies' enabled (still without registering the preview feature!) I have created a test hub/spoke network with the following components:
- 'Onprem': Connected to the hub vnet via a virtual network gateway. Containing a vm for testing access to private endpoints
- 'Hub': hub vnet with a linux VM acting as router and a virtual network gateway. The GatewaySubnet has routes for the spoke address ranges pointing to the firewall
- 'Spoke1' containing a storage account and keyvault connected to a subnet via private endpoint
- 'Spoke2' containing a vm for testing access to private endpoints
- Both spokes have a route table sending 0.0.0.0/0 to the router in the hub
All of this works as expected, on the router I see traffic:
- Bidirectional from onprem to both Spoke1 peps
- Bidirectional from spoke2 to both Spoke1 peps
Also, if I add a vm to spoke1 (where the peps are) in another subnet and create a separate routetable for each subnet to:
- Send traffic for the (local) VNet address range to the router in the hub
- Except for it's own subnet (going to 'VirtualNetwork')
Example: traffic from Spoke1 vm subnet to Spoke1 key vault pep subnet as seen by router:
This also behaves as expected, meaning that I see bidirectional traffic from Spoke1-vm to Spoke1-pep (in different subnets) go over the router in the hub.
The only scenario where it does not quite work is when I add a vm into a different subnet in the hub and set a routetable to force traffic over the firewall:
- Storage account pep: This actually does work and you see bidirectional traffic go over the router
- Key vault pep: In this scenario you can see assymetric routing happening, as I see traffic from the vm to the pep on the router, but no return traffic (this also appears to not arrive at the vm either)
Traffic from hub vm to Spoke1 kv pep:
This is the only scenario, seemingly, where snat would be required. But in my case this is not an issue as the hub contains nothing more than network related resources (router/fw, vpn, bastion) and all other resources are in spokes.
I have found some third party articles about how it appears to work (though they also contradict each other and what I found in testing), but I cannot find clear documentation from Microsoft on how exactly routing in this scenario works.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 22,216 Reputation points Microsoft Employee2022-06-20T21:27:26.183+00:00 Hello @André van der Goes , Thank you for reaching out.
I am reaching out to the team internally regarding this issue, I will share an update as soon as I get a response. Thank you! -
André van der Goes 1 Reputation point
2022-08-02T05:33:27.857+00:00 I would still like formal confirmation of how this works, rather than having to experiment and test everything out. There are a lot of variables and it seems the results are kind of hard to predict. For instance, let's take this scenario:
In this scenario the goal would be to:
- send default traffic the router
- send Vnet traffic to the router
- except when traffic is within the subnet the route table is applied to
This does not work however. When 'privateEndpointNetworkPolicies' are enabled any route matching the private endpoint ip (sort of...) will overwrite its system route. In theory this is fine, because we send it to 'Virtual Network' in stead. Sadly this does not work which means that resources in this subnet will not be able to access private endpoints in the same subnet. Why would 'virtual network' not work in this case and how are we supposed to make sense of this without proper documentation on the subject? Especially considering results can be different depending on the kind of endpoint (storage behaves different in some scenarios...)
Sign in to comment