Manage network policies for private endpoints
By default, network policies are disabled for a subnet in a virtual network. To use network policies like user-defined routes and network security group support, network policy support must be enabled for the subnet. This setting only applies to private endpoints in the subnet and affects all private endpoints in the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.
You can enable network policies either for network security groups only, for user-defined routes only, or for both.
If you enable network security policies for user-defined routes, you can use a custom address prefix length (subnet mask) equal to or larger than the virtual network address space prefix length to invalidate the /32 default route propagated by the private endpoint. This capability can be useful if you want to ensure that private endpoint connection requests go through a firewall or virtual appliance. Otherwise, the /32 default route sends traffic directly to the private endpoint in accordance with the longest prefix match algorithm.
Important
To invalidate a private endpoint route, user-defined routes must have a prefix size that is equal to or smaller than the virtual network address space where the private endpoint is provisioned. For example, a user-defined routes default route (0.0.0.0/0) won't invalidate private endpoint routes because it covers a broader range than the private endpoint's address space. The longest prefix match rule will give higher priority to more specific address prefixes. Additionally, ensure that network policies are enabled in the subnet hosting the private endpoint.
Use the following steps to enable or disable network policy for private endpoints:
- Azure PowerShell
- Azure CLI
- Azure Resource Manager templates (ARM templates)
The following examples describe how to enable and disable PrivateEndpointNetworkPolicies
for a virtual network named myVNet
with a default
subnet of 10.1.0.0/24
hosted in a resource group named myResourceGroup
.
Enable network policy
Use Get-AzVirtualNetwork, Set-AzVirtualNetworkSubnetConfig, and Set-AzVirtualNetwork to enable the policy.
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
$sub = @{
Name = 'default'
VirtualNetwork = $vnet
AddressPrefix = '10.1.0.0/24'
PrivateEndpointNetworkPoliciesFlag = 'Enabled' # Can be either 'Disabled', 'NetworkSecurityGroupEnabled', 'RouteTableEnabled', or 'Enabled'
}
Set-AzVirtualNetworkSubnetConfig @sub
$vnet | Set-AzVirtualNetwork
Disable network policy
Use Get-AzVirtualNetwork, Set-AzVirtualNetwork, and Set-AzVirtualNetworkSubnetConfig to disable the policy.
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
$sub = @{
Name = 'default'
VirtualNetwork = $vnet
AddressPrefix = '10.1.0.0/24'
PrivateEndpointNetworkPoliciesFlag = 'Disabled'
}
Set-AzVirtualNetworkSubnetConfig @sub
$vnet | Set-AzVirtualNetwork
Important
There are limitations to private endpoints in relation to the network policy feature and network security groups and user-defined routes. For more information, see Limitations.
Next steps
- To learn more, see What is a private endpoint?.