Network Policy Fails for Private Endpoint

Sumit Dubey 5

Enabling Network Policy on Private Endpoint is failing even when Traffic is forwarded to Virtual Network as well. Everything is allowed when checked Connection Troubleshoot. Not sure , where the blocker is?

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-02-28T16:35:34.47+00:00
Hi Sumit Dubey

Greetings!

Firstly, to Identify the issue, please share the error Screenshot and the connection troubleshooting results.

NOTE: Please verify whether NSG has been applied to the correct subnet and not directly to the Private Endpoint's NIC. If the NSG is applied to the subnet and the Network Policy is enabled, then the NSG should affect the Private Endpoint's traffic. But maybe the NSG is applied to another subnet or not associated properly.

Even if network policies are enabled, so please make sure that outbound/inbound rules are in place to allow or block on certain ports that are needed by the Private Endpoint.

Please refer this document to cross verify your configuration. https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal#enable-network-policy

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Sumit Dubey 5 Reputation points

2025-03-03T08:46:18.65+00:00

@Ganesh Patapati As mentioned ,network policy is enabled. Attaching screenshot for reference. There is no NSG applied at Private Endpoint, Only Route Table which point out Traffic to VNET only.
VIVEK DWIVEDI 105 Reputation points Microsoft Employee

2025-03-03T12:19:27.4566667+00:00
Hi Sumit Dubey,
Greetings.

Could you please help with following information:

You mentioned enabling network policy is failing- Could you please a screenshot with the error that policy is failing/ or is it just the connection to private endpoint is failing which you shared already ?

I see you are running a connectivity test from bastvm (source) is it in the same VNET and subnet where private endpoint is created, if not please provide more information about the connectivity and network setup.

I assume you might have tried to do the tect using ICMP which is expected to fail for private endpoint. Did you try tcp and a port number (port number varies but for most of services it is 443 if it doesn't work you can share me the service detail and I can tell you the port number)

I hope this helps, if yes please accept the answer!
Venkat V 775 Reputation points Microsoft External Staff

2025-03-03T16:43:17.45+00:00

Hi @Sumit

Thanks for your reply.

Can you please share the nslookup result screenshot from VM.
Sumit 1 Reputation point

2025-03-03T16:53:25.4766667+00:00

Venkat V
Venkat V 775 Reputation points Microsoft External Staff

2025-03-03T17:43:23.8633333+00:00
Hi @Sumit

If you are able to resolve the DNS from the VM, try to connect the database using the cmdlet below.

sqlcmd -S server-name.database.windows.net -U '<server-admin>' -P '<admin-password>'

Can you please follow the link: Create an Azure SQL server and private endpoint for more details?

Reference: Disable public access to Azure SQL logical server
Sumit 1 Reputation point

2025-03-03T17:51:39.74+00:00

Venkat V, Here is test-netconnection output.

1 answer

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-03T13:16:49.97+00:00
Hello Sumit Dubey
Thanks for the reply!

In addition to the answer provided by VIVEK DWIVEDI, I would like to add a few more details.

Can you please click on see details and provide the information over the private chat to understand the connectivity flow and also share the Route table details.

Ensure the route table isn't bypassing the private endpoint?

For example, a user-defined routes default route (0.0.0.0/0) won't invalidate private endpoint routes because it covers a broader range than the private endpoint's address space. The longest prefix match rule will give higher priority to more specific address prefixes.

Refer: https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal

Inspect Effective Routes:

Whether the Default route with /32 range of private endpoint becomes Invalid after enabling the network policy.

and the whether the user defined route is present or not.

After enabling Network policy there can be a Propagation Delay before policies take effect.

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Please sign in to rate this answer.
Sumit 1 Reputation point

2025-03-03T15:04:23.5633333+00:00

@Ganesh Patapati , Attached Connectivity test details . Private endpoint is for SQL Server (1433) .

Venkat V 775 Reputation points Microsoft External Staff

2025-03-03T15:57:00.66+00:00

Hi @Sumit

If you're using private endpoints, Azure private DNS is usually required to resolve the private endpoint correctly.

Verify whether the private DNS zone is linked to your virtual network. Run the following cmdlet from vm to confirm DNS resolution.

nslookup <private-endpoint-name>.database.windows.net

If it resolves to a public IP, ensure to check the Vnet is linked to Private DNS zone.

If it is resolving the private endpoint's private IP, try disabling the network policy for private endpoints in the subnet and test the connectivity again.

Sumit 1 Reputation point

2025-03-03T16:13:38.9166667+00:00

Venkat V,
DNS zone is already created & linked to virtual network as well. Azure DNS is being used & not custom DNS.

Venkat V 775 Reputation points Microsoft External Staff

2025-03-04T13:13:20.24+00:00

Hi @Sumit

Azure already manages private endpoint routing, so we should not manually add a route for it.

Do you have any other specific requirements for the route table?

Sumit 1 Reputation point

2025-03-04T14:54:52.8366667+00:00

@Venkat V,

The requirement is to use NVA but not Azure Firewall where its failing. So instead of using NVA, traffic is being sent to VNET itself but fails. So, why it fails as below statement is applicable only without using Network Policy or using UDR where effective route points to interface Endpoint
"Azure already manages private endpoint routing, so we should not manually add a route for it."

KapilAnanth-MSFT 48,791 Reputation points Microsoft Employee

2025-03-04T16:48:02.68+00:00

@Sumit Dubey ,

Greetings. I see you have shared your environment details with Venkat V and Ganesh Patapati.

I take it that you have

One route table on the VMSubnet, with an UDR of 10.0.0.0/24 and NextHop as VirtualNetwork.

Private endpoint network policy as RouteTable in the Private EndPoint's subnet.

And there is no Route Table on the PrivateEndPoint's subnet.

With this configuration,

The behavior is expected.

The route 10.0.0.0/24 overrides the "InterfaceEndpoint" 's /32 route.

If you were to remove the Network Policy, this should work as expected.

Wrt your requirement,

I would suggest you actually introduce an NVA (or Firewall) as NextHop instead of using VirtualNetwork as nextHop.

And validate this

Please share the results of using a NVA as NextHop.

Meanwhile, I shall check why using a "VirtualNetwork" as nextHop fails to include the /32 route.

Cheers,

Kapil

Sumit 1 Reputation point

2025-03-06T10:33:43.8633333+00:00

@KapilAnanth-MSFT ,
Any update on this
why using a "VirtualNetwork" as nextHop fails to include the /32 route

With Azure Firewall, it works fine

KapilAnanth-MSFT 48,791 Reputation points Microsoft Employee

2025-03-06T14:03:01.2933333+00:00

Hi @Sumit Dubey , not yet.

I have communicated this to the Product Group and awaiting their response.

Please note that it might take a while for the internal teams to provide an update on this.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Network Policy Fails for Private Endpoint

1 answer

Your answer