Private Endpoint Network Policy usage

James Tighe 51 Reputation points


I am hoping someone can clarify the use of Private Endpoints with Private Endpoint Network Policy. The documentation on this feature is incredibly lacking.

I have tested in my lab and cannot seem to get it working.

If I have a private endpoint in my subnet for my Storage Account. I can set an NSG rule to block access to the Private Endpoint IP. This works regardless of whether the PE Network Policy is enabled or not.

It's stated that by standard, NSG rules won't apply to Private Endpoint resources.

It's incredibly unclear how you control access to Private Endpoint resources using NSGs/ASGs. If I can set explicit rules for the PE IPs and these work why do I need PE Network Policy?

I tried using an Application Group to control the access but this doesn't work whether PE Network Policy is enabled or not.

Priority: 120
Name: Deny-PE
Source Port: Any
Source Protocol: Any
Source Address: (the subnet with the PE in)
Destination: PrivateEndpoints (application security group containing the PE)
Direction: Outbound
Type: Deny

This rule does absolutely nothing

Is there any clear advice on how to correctly configure access to Private Endpoints with NSG, or ASG?


Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,136 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
461 questions
{count} votes

1 answer

Sort by: Most helpful
  1. msrini-MSFT 9,256 Reputation points Microsoft Employee


    By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

    To enable follow this doc:

    Only when you enable the Network Policy for PE, the NSG and UDR will work against PE.

    Karthik Srinivas