Update NSG and routing information for private endpoints #127748
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clarified the role of network policies and NSG for private endpoints, including routing behavior and enforcement details.
Contributor
|
@sanuskaria123 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
| ### Are network security groups (NSG) enabled for private endpoints? | ||
|
|
||
| No, they're disabled for private endpoints. While subnets containing the private endpoint can have NSG associated with it, the rules aren't effective on traffic processed by the private endpoint. You must have [network policies enforcement disabled](/azure/private-link/disable-private-endpoint-network-policy) to deploy private endpoints in a subnet. NSG is still enforced on other workloads hosted on the same subnet. Routes on any client subnet use a /32 prefix, changing the default routing behavior requires a similar UDR. | ||
| Network policies are disabled for private endpoints. To enforce Network Security Group (NSG) and User-Defined Route (UDR) rules on private endpoint traffic, network policies must be enabled on the subnet. When network policies are disabled (required to deploy private endpoints), NSG and UDR rules do not apply to traffic processed by the private endpoint. For more information, please visit:https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal. NSG and UDR rules continue to apply normally to other workloads in the same subnet. |
Contributor
There was a problem hiding this comment.
Suggested change
| Network policies are disabled for private endpoints. To enforce Network Security Group (NSG) and User-Defined Route (UDR) rules on private endpoint traffic, network policies must be enabled on the subnet. When network policies are disabled (required to deploy private endpoints), NSG and UDR rules do not apply to traffic processed by the private endpoint. For more information, please visit:https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal. NSG and UDR rules continue to apply normally to other workloads in the same subnet. | |
| Network policies are disabled for private endpoints. To enforce Network Security Group (NSG) and User-Defined Route (UDR) rules on private endpoint traffic, network policies must be enabled on the subnet. When network policies are disabled (required to deploy private endpoints), NSG and UDR rules do not apply to traffic processed by the private endpoint. For more information, see [Manage network policies for private endpoints](/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal). NSG and UDR rules continue to apply normally to other workloads in the same subnet. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR clarifies the documentation around network security groups (NSGs) and routing for Azure Managed Redis private endpoints. It explains when and how network policies must be configured to enforce NSG and UDR rules on private endpoint traffic.
Key changes:
- Clarified that network policies must be enabled on the subnet to enforce NSG and UDR rules on private endpoint traffic
- Added reference link to detailed documentation on disabling private endpoint network policies
- Simplified explanation of routing behavior for client subnets accessing private endpoints
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Contributor
|
Learn Build status updates of commit 767f0ca: ✅ Validation status: passed
For more details, please refer to the build report. |
Contributor
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
learn-build-service-prod
bot
merged commit e074ce1
into
MicrosoftDocs:main
2 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clarified the role of network policies and NSG for private endpoints, including routing behavior and enforcement details.