Manage network policies for private endpoints
Article
08/10/2022
2 minutes to read
9 contributors
Feedback
In this article
By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.
You can use the following to enable or disable the setting:
The following examples describe how to enable and disable PrivateEndpointNetworkPolicies for a virtual network named myVNet with a default subnet of 10.1.0.0/24 hosted in a resource group named myResourceGroup .
Enable network policy
Sign-in to the Azure portal .
In the search box at the top of the portal, enter Virtual network . Select Virtual networks .
Select myVNet .
In settings of myVNet , select Subnets .
Select the default subnet.
In the properties for the default subnet, select Enabled in NETWORK POLICY FOR PRIVATE ENDPOINTS .
Select Save .
Use Get-AzVirtualNetwork , Set-AzVirtualNetworkSubnetConfig , and Set-AzVirtualNetwork to enable the policy.
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
$sub = @{
Name = 'default'
VirtualNetwork = $vnet
AddressPrefix = '10.1.0.0/24'
PrivateEndpointNetworkPoliciesFlag = 'Enabled'
}
Set-AzVirtualNetworkSubnetConfig @sub
$vnet | Set-AzVirtualNetwork
Use az network vnet subnet update to enable the policy.
az network vnet subnet update \
--disable-private-endpoint-network-policies false \
--name default \
--resource-group myResourceGroup \
--vnet-name myVNet
This section describes how to enable subnet private endpoint policies using an Azure Resource Manager template.
{
"name": "myVNet",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-04-01",
"location": "WestUS",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.0.0/16"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.1.0.0/24",
"privateEndpointNetworkPolicies": "Enabled"
}
}
]
}
}
Disable network policy
Sign-in to the Azure portal .
In the search box at the top of the portal, enter Virtual network . Select Virtual networks .
Select myVNet .
In settings of myVNet , select Subnets .
Select the default subnet.
In the properties for the default subnet, select Disabled in NETWORK POLICY FOR PRIVATE ENDPOINTS .
Select Save .
Use Get-AzVirtualNetwork , Set-AzVirtualNetwork , and Set-AzVirtualNetworkSubnetConfig to disable the policy.
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
$sub = @{
Name = 'default'
VirtualNetwork = $vnet
AddressPrefix = '10.1.0.0/24'
PrivateEndpointNetworkPoliciesFlag = 'Disabled'
}
Set-AzVirtualNetworkSubnetConfig @sub
$vnet | Set-AzVirtualNetwork
Use az network vnet subnet update to disable the policy.
az network vnet subnet update \
--disable-private-endpoint-network-policies true \
--name default \
--resource-group myResourceGroup \
--vnet-name myVNet
This section describes how to disable subnet private endpoint policies using an Azure Resource Manager template.
{
"name": "myVNet",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-04-01",
"location": "WestUS",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.0.0/16"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.1.0.0/24",
"privateEndpointNetworkPolicies": "Disabled"
}
}
]
}
}
Next steps