Forum Discussion

Rohangupta's avatar
Rohangupta
Copper Contributor
Feb 16, 2024

How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant

Hello Team, We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a ma...
rogerval's avatar
rogerval
MCT
Dec 08, 2025

The scenario you’re describing cannot be fully enforced using Azure Policy alone because Private Link access control is not subscription-based. Private Endpoint approval is handled at the resource level, and Application Gateway Private Link does not currently expose a mechanism to whitelist subscriptions the way services like Storage or Key Vault do.

For Application Gateway, the only supported way to restrict who can create a Private Endpoint is through manual or approved-mode connection workflows, but those workflows do not include subscription filtering logic.

To achieve your goal, there are two practical options:

  1. Approval workflow with a custom validation process
    Run the Private Link service in manual approval mode and validate each incoming connection using automation. For example, you can trigger an Event Grid notification when a Private Endpoint connection request is created and have an Azure Function or Logic App check the requestor subscription. If the subscription is not allowed, the automation denies the request. This is currently the only reliable way to enforce subscription restrictions for Application Gateway.
  2. Use a Private Link Service (PLS) instead of the Application Gateway Private Link feature
    A full PLS allows you to:
  • Restrict source virtual networks
  • Restrict specific IP ranges
  • Use network ACLs
  • Perform source verification before approval

Application Gateway Private Link does not support these capabilities, but a dedicated PLS does. If your architecture allows shifting the entry point from App Gateway to a PLS-fronted service, you gain fine-grained control.

At the moment, Application Gateway Private Link does not support subscription-level restrictions or policy-based auto-approval. A custom approval automation or a shift to a Private Link Service is required to enforce your security requirements.

If Microsoft adds subscription scoping to App Gateway PL in the future, it would align with other PL-enabled services, but for now automation is the only workable approach.

Resources