Search Service authorization fails (in environments where policy prohibits private endpoint connections from other subscriptions).

Question

To achieve private sending/receiving between “Storage Account” and “Search Service” currently

To use the Search Service's shared private link, you need to create a shared private link between the storage account and the Search Service.

To use the Search Service's shared private link, you need to approve the shared private link created on the other side of the storage account.

The shared private link must be approved by the storage account.

In this case, we cannot approve the private link because it violates the policy of “prohibiting PrivateEndpoint connections when the subscriptions are different”.

However, the approval operation is working for the shared private link between “SQL Server” and “Search Service” and other services.

Translated with DeepL.com (free version)

Answer 1

@443 Apologies for late response here! Could you confirm if this an Azure policy that you have enabled?

Share private link, by design, is from our VNet, ie Microsoft internal, to the customer's, so it is expected to be in 2 different subscription.

If you have a policy auditing or preventing this external from search, it would need to be relaxed for some resources, or those resource should be provisioning in a scope where the policy doesn't apply.

Let us know.