Forum Discussion
Allowed resource types: Microsoft.Web/sites/privateEndpointConnectionProxies not available
1- Modify the existing policy to allow private endpoint connections for App Services.
To do this, you can update the list of allowed resource types in your policy to include Microsoft.Network/privateEndpoints and Microsoft.Network/privateLinkServices. This will allow you to create private endpoint connections for all the resources in your subscription, including App Services.
2- Create a custom Azure Policy definition that allows specific resource types and sub-resources.
To create a custom policy definition, follow these steps:
a. In the Azure portal, search for "Policy" and click on the "Policy" service.
b. In the left-hand menu, click "Definitions" under "Authoring."
c. Click the "+ Policy Definition" button.
d. Fill in the required information, such as the policy name, description, and category.
e. In the "Policy Rule" section, add the JSON content for your custom policy. You can use the following example as a starting point:
{
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.Web/sites",
"Microsoft.Network/privateEndpoints",
"Microsoft.Network/privateLinkServices"
]
},
{
"field": "Microsoft.Web/sites/privateEndpointConnectionProxies",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
This policy rule checks if the resource type is allowed and also checks whether the private endpoint connection proxies sub-resource exists.
f. Click "Save" to create the custom policy definition.
g. Assign the custom policy definition to your desired scope (subscription, management group, or resource group).
By creating a custom policy definition or modifying the existing policy to allow private endpoint connections, you should be able to create App Services with private endpoints without encountering issues.
The policy definition '7188d6df-02bf-4ad9-b89b-ba92270e9e55' rule is invalid. The 'field' property 'Microsoft.Web/sites/privateEndpointConnectionProxies' of the policy rule doesn't exist as an alias under provider 'Microsoft.Web' and resource type 'sites'. The supported aliases are 'Microsoft.Web/sites/serverFarmId; Microsoft.Web/sites/clientCertEnabled; Microsoft.Web/sites/hostNameSslStates[*].sslState; Microsoft.Web/sites/httpsOnly; Microsoft.Web/sites/hostNames[*]; Microsoft.Web/sites/usageState; Microsoft.Web/sites/availabilityState; Microsoft.Web/sites/name; Microsoft.Web/sites/state; Microsoft.Web/sites/hostNames; Microsoft.Web/sites/repositorySiteName; Microsoft.Web/sites/enabled; Microsoft.Web/sites/enabledHostNames[*]; Microsoft.Web/sites/enabledHostNames; Microsoft.Web/sites/hostNameSslStates[*].name; Microsoft.Web/sites/hostNameSslStates[*].virtualIP; Microsoft.Web/sites/hostNameSslStates[*].thumbprint; Microsoft.Web/sites/hostNameSslStates[*].toUpdate; Microsoft.Web/sites/hostNameSslStates[*]; Microsoft.Web/sites/hostNameSslStates; Microsoft.Web/sites/lastModifiedTimeUtc; Microsoft.Web/sites/siteConfig.id; Microsoft.Web/sites/siteConfig.name; Microsoft.Web/sites/siteConfig.kind; Microsoft.Web/sites/siteConfig.location; Microsoft.Web/sites/siteConfig.type; Microsoft.Web/sites/siteConfig.tags.additionalProperties; Microsoft.Web/sites/siteConfig.tags; Microsoft.Web/sites/siteConfig; Microsoft.Web/sites/siteConfig.numberOfWorkers; Microsoft.Web/sites/siteConfig.defaultDocuments[*]; Microsoft.Web/sites/siteConfig.defaultDocuments; Microsoft.Web/sites/siteConfig.netFrameworkVersion; Microsoft.Web/sites/siteConfig.phpVersion; Microsoft.Web/sites/siteConfig.pythonVersion; Microsoft.Web/sites/siteConfig.nodeVersion; Microsoft.Web/sites/siteConfig.requestTracingEnabled; Microsoft.Web/sites/siteConfig.requestTracingExpirationTime; Microsoft.Web/sites/siteConfig.remoteDebuggingEnabled; Microsoft.Web/sites/siteConfig.remoteDebuggingVersion; Microsoft.Web/sites/siteConfig.httpLoggingEnabled; Microsoft.Web/sites/siteConfig.logsDirectorySizeLimit; Microsoft.Web/sites/siteConfig.detailedErrorLoggingEnabled; Microsoft.Web/sites/siteConfig.publishingUsername; Microsoft.Web/sites/siteConfig.publishingPassword; Microsoft.Web/sites/siteConfig.appSettings[*].name; Microsoft.Web/sites/siteConfig.appSettings[*]; Microsoft.Web/sites/siteConfig.appSettings; Microsoft.Web/sites/siteConfig.metadata[*].name; Microsoft.Web/sites/siteConfig.metadata[*]; Microsoft.Web/sites/siteConfig.metadata; Microsoft.Web/sites/siteConfig.connectionStrings[*].name; Microsoft.Web/sites/siteConfig.connectionStrings[*].connectionString; Microsoft.Web/sites/siteConfig.connectionStrings[*].type; Microsoft.Web/sites/siteConfig.connectionStrings[*]; Microsoft.Web/sites/siteConfig.connectionStrings; Microsoft.Web/sites/siteConfig.handlerMappings[*].extension; Microsoft.Web/sites/siteConfig.handlerMappings[*].scriptProcessor; Microsoft.Web/sites/siteConfig.handlerMappings[*].arguments; Microsoft.Web/sites/siteConfig.handlerMappings[*]; Microsoft.Web/sites/siteConfig.handlerMappings; Microsoft.Web/sites/siteConfig.documentRoot; Microsoft.Web/sites/siteConfig.scmType; Microsoft.Web/sites/siteConfig.use32BitWorkerProcess; Microsoft.Web/sites/siteConfig.webSocketsEnabled; Microsoft.Web/sites/siteConfig.alwaysOn; Microsoft.Web/sites/siteConfig.javaVersion; Microsoft.Web/sites/siteConfig.javaContainer; Microsoft.Web/sites/siteConfig.javaContainerVersion; Microsoft.Web/sites/siteConfig.appCommandLine; Microsoft.Web/sites/siteConfig.managedPipelineMode; Microsoft.Web/sites/siteConfig.virtualApplications[*].virtualPath; Microsoft.Web/sites/siteConfig.virtualApplications[*].physicalPath; Microsoft.Web/sites/siteConfig.virtualApplications[*].preloadEnabled; Microsoft.Web/sites/siteConfig.virtualApplications[*].virtualDirectories[*].virtualPath; Microsoft.Web/sites/siteConfig.virtualApplications[*].virtualDirectories[*].physicalPath; Microsoft.Web/sites/siteConfig.virtualApplications[*].virtualDirectories[*]; Microsoft.Web/sites/siteConfig.virtualApplications[*].virtualDirectories; Microsoft.Web/sites/siteConfig.virtualApplications[*]; Microsoft.Web/sites/siteConfig.virtualApplications; Microsoft.Web/sites/siteConfig.loadBalancing; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].actionHostName; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].reroutePercentage; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].changeStep; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].changeIntervalInMinutes; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].minReroutePercentage; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].maxReroutePercentage; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].changeDecisionCallbackUrl; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*].name; Microsoft.Web/sites/siteConfig.experiments.rampUpRules[*]; Microsoft.Web/sites/siteConfig.experiments.rampUpRules; Microsoft.Web/sites/siteConfig.experiments; Microsoft.Web/sites/siteConfig.limits.maxPercentageCpu; Microsoft.Web/sites/siteConfig.limits.maxMemoryInMb; Microsoft.Web/sites/siteConfig.limits.maxDiskSizeInMb; Microsoft.Web/sites/siteConfig.limits; Microsoft.Web/sites/siteConfig.autoHealEnabled; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.requests.count; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.requests.timeInterval; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.requests; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.privateBytesInKB; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].status; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].subStatus; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].win32Status; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].count; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].timeInterval; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*]; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequests.timeTaken; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequests.count; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequests.timeInterval; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequests; Microsoft.Web/sites/siteConfig.autoHealRules.triggers; Microsoft.Web/sites/siteConfig.autoHealRules.actions.actionType; Microsoft.Web/sites/siteConfig.autoHealRules.actions.customAction.exe; Microsoft.Web/sites/siteConfig.autoHealRules.actions.customAction.parameters; Microsoft.Web/sites/siteConfig.autoHealRules.actions.customAction; Microsoft.Web/sites/siteConfig.autoHealRules.actions.minProcessExecutionTime; Microsoft.Web/sites/siteConfig.autoHealRules.actions; Microsoft.Web/sites/siteConfig.autoHealRules; Microsoft.Web/sites/siteConfig.tracingOptions; Microsoft.Web/sites/siteConfig.vnetName; Microsoft.Web/sites/siteConfig.cors.allowedOrigins[*]; Microsoft.Web/sites/siteConfig.cors.allowedOrigins; Microsoft.Web/sites/siteConfig.cors; Microsoft.Web/sites/siteConfig.apiDefinition.url; Microsoft.Web/sites/siteConfig.apiDefinition; Microsoft.Web/sites/siteConfig.autoSwapSlotName; Microsoft.Web/sites/siteConfig.localMySqlEnabled; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].ipAddress; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].subnetMask; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*]; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions; Microsoft.Web/sites/trafficManagerHostNames[*]; Microsoft.Web/sites/trafficManagerHostNames; Microsoft.Web/sites/premiumAppDeployed; Microsoft.Web/sites/scmSiteAlsoStopped; Microsoft.Web/sites/targetSwapSlot; Microsoft.Web/sites/hostingEnvironmentProfile.id; Microsoft.Web/sites/hostingEnvironmentProfile.name; Microsoft.Web/sites/hostingEnvironmentProfile.type; Microsoft.Web/sites/hostingEnvironmentProfile; Microsoft.Web/sites/microService; Microsoft.Web/sites/gatewaySiteName; Microsoft.Web/sites/clientAffinityEnabled; Microsoft.Web/sites/hostNamesDisabled; Microsoft.Web/sites/outboundIpAddresses; Microsoft.Web/sites/containerSize; Microsoft.Web/sites/maxNumberOfWorkers; Microsoft.Web/sites/cloningInfo.correlationId; Microsoft.Web/sites/cloningInfo.overwrite; Microsoft.Web/sites/cloningInfo.cloneCustomHostNames; Microsoft.Web/sites/cloningInfo.cloneSourceControl; Microsoft.Web/sites/cloningInfo.sourceWebAppId; Microsoft.Web/sites/cloningInfo.hostingEnvironment; Microsoft.Web/sites/cloningInfo.appSettingsOverrides.additionalProperties; Microsoft.Web/sites/cloningInfo.appSettingsOverrides; Microsoft.Web/sites/cloningInfo.configureLoadBalancing; Microsoft.Web/sites/cloningInfo.trafficManagerProfileId; Microsoft.Web/sites/cloningInfo.trafficManagerProfileName; Microsoft.Web/sites/cloningInfo; Microsoft.Web/sites/resourceGroup; Microsoft.Web/sites/isDefaultContainer; Microsoft.Web/sites/defaultHostName; Microsoft.Web/sites/reserved; Microsoft.Web/sites/possibleOutboundIpAddresses; Microsoft.Web/sites/dailyMemoryTimeQuota; Microsoft.Web/sites/suspendedTill; Microsoft.Web/sites/snapshotInfo.id; Microsoft.Web/sites/snapshotInfo.name; Microsoft.Web/sites/snapshotInfo.kind; Microsoft.Web/sites/snapshotInfo.type; Microsoft.Web/sites/snapshotInfo; Microsoft.Web/sites/snapshotInfo.snapshotTime; Microsoft.Web/sites/snapshotInfo.recoveryTarget.location; Microsoft.Web/sites/snapshotInfo.recoveryTarget.id; Microsoft.Web/sites/snapshotInfo.recoveryTarget; Microsoft.Web/sites/snapshotInfo.overwrite; Microsoft.Web/sites/snapshotInfo.recoverConfiguration; Microsoft.Web/sites/snapshotInfo.ignoreConflictingHostNames; Microsoft.Web/sites/slotSwapStatus.timestampUtc; Microsoft.Web/sites/slotSwapStatus.sourceSlotName; Microsoft.Web/sites/slotSwapStatus.destinationSlotName; Microsoft.Web/sites/slotSwapStatus; Microsoft.Web/sites/isXenon; Microsoft.Web/sites/hyperV; Microsoft.Web/sites/clientCertExclusionPaths; Microsoft.Web/sites/redundancyMode; Microsoft.Web/sites/inProgressOperationId; Microsoft.Web/sites/geoDistributions[*].location; Microsoft.Web/sites/geoDistributions[*].numberOfWorkers; Microsoft.Web/sites/geoDistributions[*]; Microsoft.Web/sites/geoDistributions; Microsoft.Web/sites/networkConfig.virtualNetwork.subnetResourceId; Microsoft.Web/sites/networkConfig.virtualNetwork.swiftSupported; Microsoft.Web/sites/hostNameSslStates[*].hostType; Microsoft.Web/sites/siteConfig.linuxFxVersion; Microsoft.Web/sites/siteConfig.machineKey.validation; Microsoft.Web/sites/siteConfig.machineKey.validationKey; Microsoft.Web/sites/siteConfig.machineKey.decryption; Microsoft.Web/sites/siteConfig.machineKey.decryptionKey; Microsoft.Web/sites/siteConfig.machineKey; Microsoft.Web/sites/siteConfig.push.id; Microsoft.Web/sites/siteConfig.push.name; Microsoft.Web/sites/siteConfig.push.kind; Microsoft.Web/sites/siteConfig.push.type; Microsoft.Web/sites/siteConfig.push; Microsoft.Web/sites/siteConfig.push.isPushEnabled; Microsoft.Web/sites/siteConfig.push.tagWhitelistJson; Microsoft.Web/sites/siteConfig.push.tagsRequiringAuth; Microsoft.Web/sites/siteConfig.push.dynamicTagsJson; Microsoft.Web/sites/siteConfig.http20Enabled; Microsoft.Web/sites/siteConfig.minTlsVersion; Microsoft.Web/sites/cloningInfo.ignoreQuotas; Microsoft.Web/sites/siteConfig.windowsFxVersion; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.type; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.accountName; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.shareName; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.accessKey; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.mountPath; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties.state; Microsoft.Web/sites/siteConfig.azureStorageAccounts.additionalProperties; Microsoft.Web/sites/siteConfig.azureStorageAccounts; Microsoft.Web/sites/siteConfig.cors.supportCredentials; Microsoft.Web/sites/siteConfig.managedServiceIdentityId; Microsoft.Web/sites/siteConfig.xManagedServiceIdentityId; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].vnetSubnetResourceId; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].vnetTrafficTag; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].subnetTrafficTag; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].action; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].tag; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].priority; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].name; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].description; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].ipAddress; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].subnetMask; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].vnetSubnetResourceId; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].vnetTrafficTag; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].subnetTrafficTag; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].action; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].tag; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].priority; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].name; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].description; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*]; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictionsUseMain; Microsoft.Web/sites/siteConfig.ftpsState; Microsoft.Web/sites/siteConfig.reservedInstanceCount; Microsoft.Web/sites/cloningInfo.sourceWebAppLocation; Microsoft.Web/sites/siteConfig.appSettings[*].value; Microsoft.Web/sites/siteConfig.metadata[*].value; Microsoft.Web/sites/instances.deployments.id; Microsoft.Web/sites/instances.deployments.status; Microsoft.Web/sites/instances.deployments.message; Microsoft.Web/sites/instances.deployments.author; Microsoft.Web/sites/instances.deployments.deployer; Microsoft.Web/sites/instances.deployments.active; Microsoft.Web/sites/instances.deployments.details; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].name; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].key; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].resourceId; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].subnets[*].name; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].subnets[*].key; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].subnets[*]; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*].subnets; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks[*]; Microsoft.Web/sites/privateAccess.virtualNetworks.virtualNetworks; Microsoft.Web/sites/siteConfig.apiManagementConfig.id; Microsoft.Web/sites/siteConfig.apiManagementConfig; Microsoft.Web/sites/siteConfig.preWarmedInstanceCount; Microsoft.Web/sites/siteConfig.healthCheckPath; Microsoft.Web/sites/siteConfig.powerShellVersion; Microsoft.Web/sites/siteConfig.acrUseManagedIdentityCreds; Microsoft.Web/sites/siteConfig.acrUserManagedIdentityID; Microsoft.Web/sites/basicPublishingCredentialsPolicies.ftp.allow; Microsoft.Web/sites/siteConfig.ipSecurityRestrictions[*].headers; Microsoft.Web/sites/siteConfig.scmIpSecurityRestrictions[*].headers; Microsoft.Web/sites/clientCertMode; Microsoft.Web/sites/customDomainVerificationId; Microsoft.Web/sites/siteConfig.scmMinTlsVersion; Microsoft.Web/sites/siteConfig.vnetRouteAllEnabled; Microsoft.Web/sites/siteConfig.vnetPrivatePortsCount; Microsoft.Web/sites/siteConfig.push.systemData; Microsoft.Web/sites/siteConfig.push.systemData.createdBy; Microsoft.Web/sites/siteConfig.push.systemData.createdByType; Microsoft.Web/sites/siteConfig.push.systemData.createdAt; Microsoft.Web/sites/siteConfig.push.systemData.lastModifiedBy; Microsoft.Web/sites/siteConfig.push.systemData.lastModifiedByType; Microsoft.Web/sites/siteConfig.push.systemData.lastModifiedAt; Microsoft.Web/sites/storageAccountRequired; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodes[*].path; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequests.path; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath[*]; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath[*].timeTaken; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath[*].path; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath[*].count; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.slowRequestsWithPath[*].timeInterval; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange[*]; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange[*].statusCodes; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange[*].path; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange[*].count; Microsoft.Web/sites/siteConfig.autoHealRules.triggers.statusCodesRange[*].timeInterval; Microsoft.Web/sites/siteConfig.keyVaultReferenceIdentity; Microsoft.Web/sites/siteConfig.functionAppScaleLimit; Microsoft.Web/sites/siteConfig.functionsRuntimeScaleMonitoringEnabled; Microsoft.Web/sites/siteConfig.websiteTimeZone; Microsoft.Web/sites/siteConfig.minimumElasticInstanceCount; Microsoft.Web/sites/siteConfig.publicNetworkAccess; Microsoft.Web/sites/keyVaultReferenceIdentity; Microsoft.Web/sites/virtualNetworkSubnetId; Microsoft.Web/sites/vnetRouteAllEnabled; Microsoft.Web/sites/vnetImagePullEnabled; Microsoft.Web/sites/vnetContentShareEnabled; Microsoft.Web/sites/publicNetworkAccess'. Please open a CSS ticket at https://azure.microsoft.com/support/create-ticket to request new aliases.
- Error - The policy definition '7188d6df-02bf-4ad9-b89b-ba92270e9e55' rule is invalid. The 'field' property 'Microsoft.Web/sites/privateEndpointConnectionProxies' of the policy rule doesn't exist as an alias under provider 'Microsoft.Web' . can you guys give any suggestions on this issue?