How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant

Hello Team,

We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a managed service running inside AKS and are utilizing an application gateway for it. Our goal is to leverage the private link feature available in the application gateway, allowing Azure customers from other tenants to securely connect to it as a private endpoint.

However, we require to restrict access to only allowed subscriptions for this resource ID and enable auto-approval for private endpoint connections from those specified subscriptions. We have explored Azure Policy as a solution, but unfortunately, we have not been successful in finding a suitable policy definition that meets our needs.

We attempted to utilize the policy definition available at http://prevent-cross-subscription-private-link-azurepolicy.json

which aims to prevent cross-subscription private link connections. Despite our efforts, it appears that this policy did not effectively achieve the desired outcome. Currently, anyone can use the resource ID and establish a private endpoint connection, which is not aligned with our security requirements.

Therefore, we kindly request your assistance in reviewing our current approach and providing guidance on how we can enforce subscription restrictions and enable auto-approval for private endpoint connections from specific subscriptions only. Any insights, recommendations, or alternative solutions you can offer would be greatly appreciated.