Forum Discussion
Allowed resource types: Microsoft.Web/sites/privateEndpointConnectionProxies not available
Hi Microsoft Team, We have started implementing some governance policies across our organization. One of the policies that we are trying to implement is Allowed resource types. We want to allow o...
The issue you're encountering might be related to the fact that Microsoft.Web/sites/privateEndpointConnectionProxies is not a standalone resource type but rather a sub-resource of Microsoft.Web/sites. To resolve this issue, you can try one of the following approaches:
1- Modify the existing policy to allow private endpoint connections for App Services.
To do this, you can update the list of allowed resource types in your policy to include Microsoft.Network/privateEndpoints and Microsoft.Network/privateLinkServices. This will allow you to create private endpoint connections for all the resources in your subscription, including App Services.
2- Create a custom Azure Policy definition that allows specific resource types and sub-resources.
To create a custom policy definition, follow these steps:
a. In the Azure portal, search for "Policy" and click on the "Policy" service.
b. In the left-hand menu, click "Definitions" under "Authoring."
c. Click the "+ Policy Definition" button.
d. Fill in the required information, such as the policy name, description, and category.
e. In the "Policy Rule" section, add the JSON content for your custom policy. You can use the following example as a starting point:
{
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.Web/sites",
"Microsoft.Network/privateEndpoints",
"Microsoft.Network/privateLinkServices"
]
},
{
"field": "Microsoft.Web/sites/privateEndpointConnectionProxies",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
This policy rule checks if the resource type is allowed and also checks whether the private endpoint connection proxies sub-resource exists.
f. Click "Save" to create the custom policy definition.
g. Assign the custom policy definition to your desired scope (subscription, management group, or resource group).
By creating a custom policy definition or modifying the existing policy to allow private endpoint connections, you should be able to create App Services with private endpoints without encountering issues.
1- Modify the existing policy to allow private endpoint connections for App Services.
To do this, you can update the list of allowed resource types in your policy to include Microsoft.Network/privateEndpoints and Microsoft.Network/privateLinkServices. This will allow you to create private endpoint connections for all the resources in your subscription, including App Services.
2- Create a custom Azure Policy definition that allows specific resource types and sub-resources.
To create a custom policy definition, follow these steps:
a. In the Azure portal, search for "Policy" and click on the "Policy" service.
b. In the left-hand menu, click "Definitions" under "Authoring."
c. Click the "+ Policy Definition" button.
d. Fill in the required information, such as the policy name, description, and category.
e. In the "Policy Rule" section, add the JSON content for your custom policy. You can use the following example as a starting point:
{
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.Web/sites",
"Microsoft.Network/privateEndpoints",
"Microsoft.Network/privateLinkServices"
]
},
{
"field": "Microsoft.Web/sites/privateEndpointConnectionProxies",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
This policy rule checks if the resource type is allowed and also checks whether the private endpoint connection proxies sub-resource exists.
f. Click "Save" to create the custom policy definition.
g. Assign the custom policy definition to your desired scope (subscription, management group, or resource group).
By creating a custom policy definition or modifying the existing policy to allow private endpoint connections, you should be able to create App Services with private endpoints without encountering issues.
josequintinoThank you for the response.
Have a question on approach number 1. To modify the built in policy "Allowed resource types" (https://www.azadvertizer.net/azpolicyadvertizer/a08ec900-254a-4555-9bf5-e42af04b5c5c.html). The policy parameters are generated dynamically(at least from what I have noticed) and that dynamically generated list doesn't have the sub resource which is causing the issue.. Is there a way to modify these parameters to add Microsoft.Web/sites/privateEndpointConnectionProxies?
