Forum Discussion
How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant
Hello Team,
We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a managed service running inside AKS and are utilizing an application gateway for it. Our goal is to leverage the private link feature available in the application gateway, allowing Azure customers from other tenants to securely connect to it as a private endpoint.
However, we require to restrict access to only allowed subscriptions for this resource ID and enable auto-approval for private endpoint connections from those specified subscriptions. We have explored Azure Policy as a solution, but unfortunately, we have not been successful in finding a suitable policy definition that meets our needs.
We attempted to utilize the policy definition available at http://prevent-cross-subscription-private-link-azurepolicy.json
which aims to prevent cross-subscription private link connections. Despite our efforts, it appears that this policy did not effectively achieve the desired outcome. Currently, anyone can use the resource ID and establish a private endpoint connection, which is not aligned with our security requirements.
Therefore, we kindly request your assistance in reviewing our current approach and providing guidance on how we can enforce subscription restrictions and enable auto-approval for private endpoint connections from specific subscriptions only. Any insights, recommendations, or alternative solutions you can offer would be greatly appreciated.
2 Replies
The scenario you’re describing cannot be fully enforced using Azure Policy alone because Private Link access control is not subscription-based. Private Endpoint approval is handled at the resource level, and Application Gateway Private Link does not currently expose a mechanism to whitelist subscriptions the way services like Storage or Key Vault do.
For Application Gateway, the only supported way to restrict who can create a Private Endpoint is through manual or approved-mode connection workflows, but those workflows do not include subscription filtering logic.
To achieve your goal, there are two practical options:
- Approval workflow with a custom validation process
Run the Private Link service in manual approval mode and validate each incoming connection using automation. For example, you can trigger an Event Grid notification when a Private Endpoint connection request is created and have an Azure Function or Logic App check the requestor subscription. If the subscription is not allowed, the automation denies the request. This is currently the only reliable way to enforce subscription restrictions for Application Gateway. - Use a Private Link Service (PLS) instead of the Application Gateway Private Link feature
A full PLS allows you to:
- Restrict source virtual networks
- Restrict specific IP ranges
- Use network ACLs
- Perform source verification before approval
Application Gateway Private Link does not support these capabilities, but a dedicated PLS does. If your architecture allows shifting the entry point from App Gateway to a PLS-fronted service, you gain fine-grained control.
At the moment, Application Gateway Private Link does not support subscription-level restrictions or policy-based auto-approval. A custom approval automation or a shift to a Private Link Service is required to enforce your security requirements.
If Microsoft adds subscription scoping to App Gateway PL in the future, it would align with other PL-enabled services, but for now automation is the only workable approach.
- Approval workflow with a custom validation process
Currently, Azure Application Gateway Private Link does not provide native support for subscription‑level restrictions or selective auto‑approval lists. Configuration options are limited to either manual approval or tenant‑wide auto‑approval. To implement subscription‑specific controls, organizations must leverage Private Link access control lists (ACLs) in conjunction with manual approval processes or custom automation (such as Azure Functions or Logic Apps) that validate the requesting subscription prior to granting approval.
