How to login and deploy resource using resource management private link?

Question

How to login and deploy resource using resource management private link?

Minwoo Jo 5

Hello. I test private connection using resource management private link and private endpoint.

How to azure login using private endpoint?

I deploy VM, resource management private link associated with private endpoint. And I add DNS information in /etc/hosts ( private endpoint IP : management.azure.com )

When i command azure login --identity --debug, i get error message below.

cli.azure.cli.core.azclierror: (PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
Code: PrivateLinkAccessRestricted
Message: Request originated from private virtual network for resource '/subscriptions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
az_command_data_logger: (PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
Code: PrivateLinkAccessRestricted
Message: Request originated from private virtual network for resource '/subscriptions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

How to solve this issue?

Is it impossible to login and deploy resource (network, vm) using resource management private link?

Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T05:41:39.7533333+00:00
Hi @Minwoo Jo

Even though you've configured a Private Endpoint for management.azure.com, Azure does not fully support all Azure CLI or SDK operations—such as az login—over Private Link alone, especially for tenant- or subscription-level endpoints like /subscriptions or /tenants.

Method 1: Temporary Public Access for Login Operations like az login, az account list, or az vm create require access to control plane endpoints that are not yet exposed via Private Link. To work around this, temporarily allow internet access (either directly on the VM or via a NAT Gateway) to perform login and control plane operations:

az login --identity

Once authenticated, most supported resource-level operations will work over the existing Private Endpoint.

Method 2: Use Azure Bastion Keep the private VM fully isolated, and use a secure jump host or Azure Bastion (with internet access) for CLI authentication and initial deployment tasks.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Minwoo Jo 5

Hi Venkat. Thank you for your apply!

I tried to Method 1. First, VM was authenticated using public access. Secondly, I add that private endpoint IP : management.azure.com in /etc/hosts.

Lastly, I try to create vm using azure cli but same error is still occured.

az vm restart -g mw-resource-group-2 -n testvm

(PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions/<Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
Code: PrivateLinkAccessRestricted
Message: Request originated from private virtual network for resource '/subscriptions/
<Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

Which commands is working correctly using private endpoint? What is resource-level operations?

Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T07:20:15.2133333+00:00
Hi @ Minwoo Jo

If you are using an Azure VM and have created it in the same VNet and subnet as the management Private Link, there's no need to manually add a host entry. Kindly run the following command to check DNS resolution

nslookup management.azure.com

If it resolves correctly, you can proceed with operations like

az vm restart -g mw-resource-group-2 -n testvm
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T07:51:41.2733333+00:00
Hi @ Minwoo Jo

Even though you've configured a private endpoint for ⁣,management.azure.com Azure does not fully support all Azure CLI or SDK operations—such as over private linkaz login alone, especially for tenant- or subscription-level endpoints like /subscriptions``/tenants

Method 1: Temporary public access for login operations like az login, az account list, or ⁣ requiresaz vm create access to control plane endpoints that are not yet exposed via Private Link.

To work around this, temporarily allow internet access (either directly on the VM ) to perform login and control plane operations:

az login --identity

Once authenticated, most supported resource-level operations will work over the existing Private Endpoint.

Note: If you are using Azure VM and created the same VNet as the resource management private link, there is no need to add any host entry on VM

Method 2: Use Azure Bastion Keep the private VM fully isolated, and use a secure jump host or Azure Bastion (with internet access) for CLI authentication and initial deployment tasks.

As I tested the same in my environment without internet access, I also encountered the same error.

To resolve the issue, I created an outbound rule for internet access to the VM, as shown below.

After creating the rule, I was able to connect to the VM using the cmdlet and successfully create resources using the same identity

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

Minwoo Jo 5

Hello Venkat.

I'm sorry but this issue is continued.

nslookup management.azure.com

Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
management.azure.com	canonical name = management.privatelink.azure.com.
Name:	management.privatelink.azure.com
Address: 10.0.2.6

And i command creating vm in same subnet

az vm create \
  --resource-group mw-resource-group-1 \
  --name testvm \
  --location koreacentral \
  --vnet-name mwjo-network \
  --subnet private-subnet \
  --image Ubuntu2204

(PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions/e<Sub_id>/providers/Microsoft.Compute/locations/koreacentral/publishers/Canonical/artifacttypes/vmimage/offers/0001-com-ubuntu-server-jammy/skus/22_04-lts-gen2/versions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
Code: PrivateLinkAccessRestricted
Message: Request originated from private virtual network for resource '/subscriptions/<Sub_id>/providers/Microsoft.Compute/locations/koreacentral/publishers/Canonical/artifacttypes/vmimage/offers/0001-com-ubuntu-server-jammy/skus/22_04-lts-gen2/versions', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

Restarting VM has same issue.

 az vm restart -g mw-resource-group-1 -n testvm 

(PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions/<sub_id>/resourceGroups/mw-resource-group-1/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint. Code: PrivateLinkAccessRestricted Message: Request originated from private virtual network for resource '/subscriptions/<sub_id>/resourceGroups/mw-resource-group-1/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T08:01:38.1433333+00:00

Hi @Minwoo Jo

I hope you've already deleted the host entry. Once it's deleted, please run nslookup and verify the result—it should resolve to the Azure Private DNS zone IP, not the loopback IP (127.x.x.x).

If you're still facing the issue, could you please share your email ID in a private chat so we can connect offline for further troubleshooting?
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T10:29:11.4366667+00:00

Hi @Minwoo Jo

We haven't heard anything from you. Could you please confirm whether your issue has been resolved or not?

답변 2개

답변

Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T05:41:39.7533333+00:00

Hi @Minwoo Jo

Even though you've configured a Private Endpoint for management.azure.com, Azure does not fully support all Azure CLI or SDK operations—such as az login—over Private Link alone, especially for tenant- or subscription-level endpoints like /subscriptions or /tenants.

Method 1: Temporary Public Access for Login Operations like az login, az account list, or az vm create require access to control plane endpoints that are not yet exposed via Private Link. To work around this, temporarily allow internet access (either directly on the VM or via a NAT Gateway) to perform login and control plane operations:

az login --identity

Once authenticated, most supported resource-level operations will work over the existing Private Endpoint.

Method 2: Use Azure Bastion Keep the private VM fully isolated, and use a secure jump host or Azure Bastion (with internet access) for CLI authentication and initial deployment tasks.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Minwoo Jo 5 평판 포인트

2025-04-18T07:03:35.7633333+00:00

Hi Venkat. Thank you for your apply!

I tried to Method 1. First, VM was authenticated using public access. Secondly, I add that private endpoint IP : management.azure.com in /etc/hosts.

Lastly, I try to create vm using azure cli but same error is still occured.

az vm restart -g mw-resource-group-2 -n testvm (PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions/<Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint. Code: PrivateLinkAccessRestricted Message: Request originated from private virtual network for resource '/subscriptions/ <Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

Which commands is working correctly using private endpoint? What is resource-level operations?
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T07:20:15.2133333+00:00

Hi @ Minwoo Jo

If you are using an Azure VM and have created it in the same VNet and subnet as the management Private Link, there's no need to manually add a host entry. Kindly run the following command to check DNS resolution

nslookup management.azure.com

If it resolves correctly, you can proceed with operations like

az vm restart -g mw-resource-group-2 -n testvm
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T07:51:41.2733333+00:00

Hi @ Minwoo Jo

Even though you've configured a private endpoint for ⁣,management.azure.com Azure does not fully support all Azure CLI or SDK operations—such as over private linkaz login alone, especially for tenant- or subscription-level endpoints like /subscriptions``/tenants

Method 1: Temporary public access for login operations like az login, az account list, or ⁣ requiresaz vm create access to control plane endpoints that are not yet exposed via Private Link.

To work around this, temporarily allow internet access (either directly on the VM ) to perform login and control plane operations:

az login --identity

Once authenticated, most supported resource-level operations will work over the existing Private Endpoint.

Note: If you are using Azure VM and created the same VNet as the resource management private link, there is no need to add any host entry on VM

Method 2: Use Azure Bastion Keep the private VM fully isolated, and use a secure jump host or Azure Bastion (with internet access) for CLI authentication and initial deployment tasks.

As I tested the same in my environment without internet access, I also encountered the same error.

To resolve the issue, I created an outbound rule for internet access to the VM, as shown below.

After creating the rule, I was able to connect to the VM using the cmdlet and successfully create resources using the same identity

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T08:01:38.1433333+00:00

Hi @Minwoo Jo

I hope you've already deleted the host entry. Once it's deleted, please run nslookup and verify the result—it should resolve to the Azure Private DNS zone IP, not the loopback IP (127.x.x.x).

If you're still facing the issue, could you please share your email ID in a private chat so we can connect offline for further troubleshooting?
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-18T10:29:11.4366667+00:00

Hi @Minwoo Jo

We haven't heard anything from you. Could you please confirm whether your issue has been resolved or not?

Answer 1

Hi Venkat.
Thank you for your apply!

I tried to Method 1.
First, VM was authenticated using public access.
Secondly, I add that private endpoint IP : management.azure.com in /etc/hosts.

Lastly, I try to create vm using azure cli but same error is still occured.

az vm restart -g mw-resource-group-2 -n testvm

(PrivateLinkAccessRestricted) Request originated from private virtual network for resource '/subscriptions/<Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.
Code: PrivateLinkAccessRestricted
Message: Request originated from private virtual network for resource '/subscriptions/
<Subscription ID>/resourceGroups/mw-resource-group-2/providers/Microsoft.Compute/virtualMachines/testvm/restart', but this resource can not be accessed from a private endpoint. To connect to this resource, please use the public network without a private endpoint.

Which commands is working correctly using private endpoint? What is resource-level operations?

Answer 2

Hi @Minwoo Jo

Even though you've configured a private endpoint for ⁣,management.azure.com Azure does not fully support all Azure CLI or SDK operations—such as over private linkaz login alone, especially for tenant- or subscription-level endpoints like /subscriptions``/tenants

Method 1: Temporary public access for login operations like az login, az account list, or ⁣ requiresaz vm create access to control plane endpoints that are not yet exposed via Private Link.

To work around this, temporarily allow internet access (either directly on the VM ) to perform login and control plane operations:


az login --identity

Once authenticated, most supported resource-level operations will work over the existing Private Endpoint.

Note: If you are using Azure VM and created the same VNet as the resource management private link, there is no need to add any host entry on VM

Method 2: Use Azure Bastion Keep the private VM fully isolated, and use a secure jump host or Azure Bastion (with internet access) for CLI authentication and initial deployment tasks.

As I tested the same in my environment without internet access, I also encountered the same error.

enter image description here

To resolve the issue, I created an outbound rule for internet access to the VM, as shown below.

enter image description here

After creating the rule, I was able to connect to the VM using the cmdlet and successfully create resources using the same identity

enter image description here

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

Please provide your valuable feedback on the thread by clicking Accept the answer and upvoting wherever the information was helpful, as this can be beneficial to other community members

Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-21T05:17:36.66+00:00

Hi @Minwoo Jo

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Venkat V 2,055 평판 포인트 Microsoft 외부 직원 Moderator

2025-04-22T05:13:25.06+00:00

Hi @Minwoo Jo

Glad I could help! If this resolved your issue, please consider upvoting and accepting it as the answer so it can assist others too.

다음을 통해 공유

How to login and deploy resource using resource management private link?

답변 2개

답변