Restrict access to only private endpoints

[SilvanBuehler]

According to this article, it should be possible to restrict azure resource management operation only to the private endpoints. As I understand this, this should be active as soon as the private link exists. But this seems not to be the case. In my test environment I configured a private link with a private endpoint. However, I am still able to manage all resources (including create/delete) without access to this private endpoint but over the public internet. Our goal is, to restrict access to azure resource management operations only to private connections (VPN/ExpressRoute). How can we achieve this? Are we missing a setting?

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 7af0f3b4-d535-ce3a-d79e-78cdfa016e92
• Version Independent ID: 87c89fdb-38be-6176-4b5b-294ae31d882b
• Content: Manage resources through private link - Azure Resource Manager
• Content Source: articles/azure-resource-manager/management/create-private-link-access-commands.md
• Service: azure-resource-manager
• Sub-service: management
• GitHub Login: @tfitzmac
• Microsoft Alias: tomfitz

[AjayBathini-MSFT]

@SilvanBuehler Thanks for your feedback! We will investigate and update as appropriate.

[tfitzmac]

@SilvanBuehler - do you have a resource management private link? Did you associate it with the root management group? Did you try the steps to verify the private DNS zone? https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/create-private-link-access-portal#verify-private-dns-zone

[MonikaReddy-MSFT]

@SilvanBuehler - Have you tried the steps above as mentioned by @tfitzmac ?

[SilvanBuehler]

@tfitzmac & @MonikaReddy-MSFT Yes, I have a resource management private link associated with the root management group and I have verified the private DNS zone. Deployments through this private link are working, but how can we restrict management access from outside this private link like the documentation suggests? I am still able to manage resources from clients/networks that are not connected to the private link.

[SilvanBuehler]

Any update? Is the documentation wrong, or did I miss something in my configuration?

[mumian]

We have a new feedback system in place, so we need to close the remaining GitHub issues. I have created an issue in our internal tracking system.

please-close