Once a private endpoint has been assigned to a subnet; it cannot be removed #39634
Comments
|
Temporary solution:
|
|
@tonyt73 , Can you post the output of the below PS command? $VNET= Get-AzVirtualNetwork -Name "Name of your Vnet" -ResourceGroupName "RG Name" Get-AzVirtualNetworkSubnetConfig -Name "Name of your Subnet" -VirtualNetwork $VNET |
|
@tonyt73 , do you have any update on this issue? |
|
You'll notice that the Yet, Azure portal and the PS Also worth mentioning that you can't change the policy items either Trying to change |
|
@KumudD , Can you take a look at this issue and update the doc with the alternative ? |
|
#assign:@malopMSFT |
|
Hi tonyt73 We had this into our bug fixes list, do you mind trying to replicate the issue and see if it's still active |
|
I just got this error as part of my build process. I can no longer run "Set-AzVirtualNetwork" on a loaded vnet config (Get-AzVirtualNetwork) if that vnet has a subnet with a private endpoint attached to it. I have also narrowed it down to when I run "Set-AzVirtualNetworkSubnetConfig" with the "-PrivateLinkServiceNetworkPoliciesFlag 'Enabled'" setting causes the error. |
|
Circling back around to this... a little confusing, but I came across something stating PrivateLinkServiceNetworkPoliciesFlag has to be 'Disabled' in order to add a private end point... seems not intuitive. |
|
Hey everybody, I ran into the same issue, when I deployed a private endpoint into the subnet via pipeline and set this setting in a template. After deleting it in the template the error stayed and now I always get the error when I execute the pipeline: "PrivateEndpointNetworkPoliciesCannotBeEnabledOnPrivateEndpointSubnet","message":"Private endpoint network policies cannot be enabled on private endpoint subnet /subscriptions/%subscriptionID%/resourceGroups/%RG%/providers/Microsoft.Network/virtualNetworks/%VNETNAME%/subnets/%SUBNETNAME%. |
|
We're also seeing this issue with our vnet arm template config, after deploying private link for sql server via another arm template. Feels similar to the error above. |
|
Hi guys, Appreciate if you can raise a support ticket, it's hard t diagnose multiple issues without looking at the configuration. I'm reading multiple issues listed here with PrivateEndpointNetworkPoliciesCannotBeEnabledOnPrivateEndpointSubnet and PrivateLinkServiceNetworkPoliciesFlag as 2 separate independent controls. |
|
Did anyone ever raise a support ticket and get a fix from them? |
|
We did but it did not lead to a satisfying result. Somewhere along the process also we decided this scenario does not fit into our Modern Workplace offering. We are only using SMB3 shares in Azure as part of an Application Resource Group for storing the application data (as was once the intended purpose from Microsoft). The only landing zones for data which has to be accessed from end-user devices are OneDrive and Sharepoint Online. We have not seen a case from our customers which forced us into another route (Customers just need some convincing that shifting a share to Azure is not 'modern') |
|
@msrini-MSFT @SaiKishor-MSFT I am also facing the same issue. I Unable to change the For SubnetProperties I want to disable the value for |
|
Sending to PM for review #assign:@ivapplyr |
|
Hi @malopMSFT, Any update on this? I'm facing the same issue and I cannot understand why this issue kept being ignored? It's pretty straight forward and there must be a better approach to handle it. |
|
Please raise a support ticket for proper troubleshooting and diagnosis of the issue, is not clear on this open item what is the issue with out documentation that describes those properties and behavior. For active issues on deployments, support ticket is the right method as many times requires specific investigation onto a particular customer deployment. |
|
@malopMSFT Honestly, I don't think this issue has anything to do with "particular customer deployment", the symptom is easy to reproduce:
Do you think this is as expected? |
|
Is expected, Users must get an error when deploying private endpoints and the property is enabled. The sequence can be any of the following:
The property is mainly designed to provide a toggle once NSG is supported, currently in public preview. For preview subscriptions, this error does not show and instead, NSG will start to apply to the private endpoints Details can be found here: |
|
Confirming this bug is still active as of Dec 21, 2021. |
|
Confirming this bug is still active as of JAN 7, 2022. |
|
Hello Folks, For those who are receiving this error message, it is per design. Please read documentation below to have access to the Public Preview of Private Link NSG & UDR :) https://azure.microsoft.com/en-us/updates/private-link-nsg-support-extended-regional-availability/ |
|
@tonyt73 would we be able to close this as there are multi thread of issues prior to 2021 |
|
When trying to disable the Private Link Service POlicies via Az CLI, we are now getting this error: "however, it does not have permission to perform action 'Microsoft.Network/routeTables/join/action' on the linked scope(s)" We understand the related error about the policies being enabled when trying to add a PLS, but we are not sure why this is trying to read/write to the route table. |
|
@IPvPho Can you provide more information on the steps and environment when getting this error? Is this a new deployment of private endpoint to an existing subnet with the policies applied? Are there any permissions or policies deployed in your environment that would prevent your account from updating route tables? Can you provide the full error you are receiving and possibly a screenshot? Thanks! @ivapplyr do you know why it would error out on updating the route table? |
Thank you for you dedication to our documentation.Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information. Please continue to provide feedback about the documentation. We appreciate your contributions to our community. #please-close |
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/private-link/create-private-endpoint-portal.md
When you create a new subnet and assign a private endpoint to it.
If you then remove the private endpoint, private link and the association to the vnet subnet and then try to add service endpoint definitions, you will get the following error.
Set-AzVirtualNetwork : Private endpoint network policies cannot be enabled on private endpoint subnetEven when the subnet clearly has no private endpoints and the private endpoint and link are deleted.
Also trying to change the
PrivateEndpointNetworkPoliciesflag back toEnabledwill also result in the same error.Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: