Private Endpoint Network Policy usage

James Tighe 51

Hi,

I am hoping someone can clarify the use of Private Endpoints with Private Endpoint Network Policy. The documentation on this feature is incredibly lacking.

I have tested in my lab and cannot seem to get it working.

If I have a private endpoint in my subnet for my Storage Account. I can set an NSG rule to block access to the Private Endpoint IP. This works regardless of whether the PE Network Policy is enabled or not.

It's stated that by standard, NSG rules won't apply to Private Endpoint resources.

It's incredibly unclear how you control access to Private Endpoint resources using NSGs/ASGs. If I can set explicit rules for the PE IPs and these work why do I need PE Network Policy?

I tried using an Application Group to control the access but this doesn't work whether PE Network Policy is enabled or not.

Priority: 120
Name: Deny-PE
Source Port: Any
Source Protocol: Any
Source Address: 10.0.1.0/24 (the subnet with the PE in)
Destination: PrivateEndpoints (application security group containing the PE)
Direction: Outbound
Type: Deny

This rule does absolutely nothing

Is there any clear advice on how to correctly configure access to Private Endpoints with NSG, or ASG?

James

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2022-08-19T05:26:00.58+00:00

Hi @James Tighe ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are configuring Azure Private EndPoint policies and would require more details on it.

I see @msrini-MSFT has addressed your query, and I also note you were able to get this working :)

By default, Azure Resources cannot make outbound calls via Private EndPoint.
Hence, the majority of the use cases would require blocking of Incoming Requests only. i.e, Direction : Inbound at PE's subnet

If you look at it, this is a behavior of Private EndPoint.
Private End Point Policy, on the other hand, just enables/disables NSG and UDR support.

I shall try to check internally if we can add these points to the document.
Also, you can raise a GitHub issue for document enhancement.

Please let me know if you need further assistance on this or should there be any follow-up queries, I shall try to address them.

Cheers,
Kapil

1 answer

msrini-MSFT 9,276 Reputation points Microsoft Employee

2022-08-18T15:26:36.133+00:00

Hi,

By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

To enable follow this doc: https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal

Only when you enable the Network Policy for PE, the NSG and UDR will work against PE.

Regards,
Karthik Srinivas
Please sign in to rate this answer.
James Tighe 51 Reputation points

2022-08-18T15:49:17.077+00:00

This is my problem the, the documentation doesn't actually explain anything it just shows how to enable/disable PE Network Policy.

The problem is how do you apply the NSGs to the endpoints?

"Only when you enable the Network Policy for PE, the NSG and UDR will work against PE." This is not true - As stated, I can just add an NSG rule to Deny access to the relevant PE IP address. This works with PE Network Policy enabled or disabled.

So NSG rule to a PE IP seems to work regardless of the setting. There is no other way to target a PE so I am unsure what that quote even means.

Can someone actually explain how it works? So what does it mean to enable it? How do you configure a rule to target a PE? As stated, using the PE's IP works fine as standard, so why do I need PE Network Policy?

It is one of the worst documented features MS have released in a while.

msrini-MSFT 9,276 Reputation points Microsoft Employee

2022-08-18T15:55:59.83+00:00

I can just add an NSG rule to Deny access to the relevant PE IP address. This works with PE Network Policy enabled or disabled. --> How are you testing it ?

From your example you are performing a Outbound deny rule. So the traffic is getting denied at source not at the PE.

When you enabled the PE network policy, when you have a source at On-Prem where you cannot deny the traffic at source using NSG, you can use the Inbound rule against PE to deny it.

Hope this make it clear.

James Tighe 51 Reputation points

2022-08-18T16:53:30.553+00:00

This rule was outbound from the subnet.

I have now tested inbound and it indeed works as it should!

The problem is the documentation (and the information when enabling PE Network Policy) it doesn't state it's referring to inbound rules which makes it very confusing.

I spent ages testing with an Outbound rule from the source subnets :(

It would be useful if the MS documentation clearly mentioned this is for inbound traffic flows only but its working nicely with my Application Security Group now so all good!

James

msrini-MSFT 9,276 Reputation points Microsoft Employee

2022-08-19T04:48:06.397+00:00

You cab raise a gitHub issue under the same doc to enhance the doc. Documentation team can pick up your request and add clarity to your questions.

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2022-09-07T10:50:50.663+00:00

Hello @James Tighe ,

You can find this limitation mentioned in the Private Endpoint concept document as below:

And the link to the Private Endpoint concept doc is added in the how-to "Manage network policies for private endpoints" doc at the end in the next steps section.

If you would like to get this information added in the how-to document, please raise a GitHub issue under the same doc to enhance the doc.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment

Share via

Private Endpoint Network Policy usage

1 answer