Cannot create private endpoint for Application Gateway
I'm trying to create a Private Endpoint for an Azure Application Gateway in my environment, but I keep getting the following error, although the private link exists and is in "Succeeded" state:
ERROR: (ApplicationGatewayPrivateLinkOperationError) Call to Microsoft.Network/applicationGateways failed. Error message: Cannot perform private link operation on ApplicationGateway /subscriptions/26d8a9f9../resourceGroups/rg-dev-new-test5/providers/Microsoft.Network/applicationGateways/app-gateway-dev. Please make sure application gateway has private link configuration. Code: ApplicationGatewayPrivateLinkOperationError Message: Call to Microsoft.Network/applicationGateways failed. Error message: Cannot perform private link operation on ApplicationGateway /subscriptions/26d8a9f9../resourceGroups/rg-dev-new-test5/providers/Microsoft.Network/applicationGateways/app-gateway-dev. Please make sure application gateway has private link configuration.
Steps Taken:
Created a Virtual Network with a dedicated subnet for the Application Gateway.
Created a Public IP for the Application Gateway.
Created a WAF Policy and associated it with the Application Gateway.
Deployed the Application Gateway successfully with the WAF_v2 SKU.
Attempted to create a Private Endpoint.
Below there is a standalone bash script that demonstrates the problem
#!/bin/bash
set -e
export MSYS_NO_PATHCONV=1
# Configurations
LOCATION="westeurope"
RG="rg-dev-new-test5"
VNET="vnet-ai-services-dev"
ADDR="10.0.0.0/16"
APPGW_SUBNET="app-gateway-subnet-dev"
APPGW_PREFIX="10.0.2.0/24"
PE_SUBNET="private-endpoint-subnet-dev"
PE_PREFIX="10.0.9.0/24"
APPGW="app-gateway-dev"
WAF="waf-policy-dev"
PIP="appgw-public-ip"
PRIVATE_LINK_CONFIG="appgw-private-link-config"
SUB_ID=$(az account show --query id -o tsv)
# Create Resource Group
az group create -n $RG -l $LOCATION
# Create Virtual Network with Application Gateway subnet
az network vnet create -g $RG -n $VNET --address-prefix $ADDR \
--subnet-name $APPGW_SUBNET --subnet-prefix $APPGW_PREFIX
# Create Private Endpoint subnet
az network vnet subnet create -g $RG --vnet-name $VNET -n $PE_SUBNET \
--address-prefixes $PE_PREFIX --disable-private-link-service-network-policies true
# Create Public IP for Application Gateway
az network public-ip create -g $RG -n $PIP --sku Standard --allocation-method Static
# Create WAF Policy
az network application-gateway waf-policy create -g $RG -n $WAF -l $LOCATION
# Construct WAF Policy ID
WAF_ID="/subscriptions/$SUB_ID/resourceGroups/$RG/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/$WAF"
# Create Application Gateway with WAF_v2 SKU and Priority
az network application-gateway create -n $APPGW -g $RG -l $LOCATION \
--capacity 2 --sku WAF_v2 --vnet-name $VNET --subnet $APPGW_SUBNET \
--public-ip-address $PIP --frontend-port 80 --http-settings-port 80 \
--http-settings-protocol Http --routing-rule-type Basic --waf-policy $WAF_ID \
--priority 100
# Get Application Gateway Frontend IP Configuration Name
FRONTEND_IP_NAME=$(az network application-gateway frontend-ip list --gateway-name $APPGW --resource-group $RG --query "[0].name" -o tsv)
# Add Private Link Configuration to Application Gateway
az network application-gateway private-link add \
--resource-group $RG \
--gateway-name $APPGW \
--name $PRIVATE_LINK_CONFIG \
--frontend-ip $FRONTEND_IP_NAME \
--subnet "/subscriptions/$SUB_ID/resourceGroups/$RG/providers/Microsoft.Network/virtualNetworks/$VNET/subnets/$PE_SUBNET"
# Get Private Link Configuration ID
PRIVATE_LINK_CONFIG_ID=$(az network application-gateway private-link show \
--resource-group $RG \
--gateway-name $APPGW \
--name $PRIVATE_LINK_CONFIG \
--query id -o tsv)
# Get Application Gateway ID
APPGW_ID=$(az network application-gateway show -n $APPGW -g $RG --query id -o tsv)
# Attempt to create Private Endpoint (expected to succeed if supported)
az network private-endpoint create -n "appgw-pe" -g $RG --vnet-name $VNET \
--subnet $PE_SUBNET \
--private-connection-resource-id $APPGW_ID \
--group-id "gateway" \
--connection-name "appgw-pec" \
--location $LOCATION
What part of the code needs adjustment so that the private-endpoint create command can recognize the private link?
Microsoft.Network/applicationGateways failed. Error message: Cannot perform private link operation on ApplicationGateway /subscriptions/26d8a9f9../resourceGroups/rg-dev-newtest5/providers/Microsoft.Network/applicationGateways/app-gateway-dev. Please make sure application gateway has private link configuration.
The error above was encountered due to invalid values passed in the command az network private-endpoint create.
When I passed the invalid values in the command, I encountered the same error as you.
To resolve the issue, make sure to pass the correct values. The Group ID should be the Frontend IPConfiguration name, and the connection name should be the Private Link Configurations name.
Here is the updated script for creating a private endpoint for the application gateway.
$subnetupdate= az network vnet subnet update --name "APP-Subnet2" --vnet-name "App-Vnet" --resource-group "application-RG" --disable-private-link-service-network-policies true
$appgateway = az network application-gateway frontend-ip list --gateway-name "Venkat-app-gateway" --resource-group "application-RG"
$appgatewayJson = $appgateway | ConvertFrom-Json
$groupid = $appgatewayJson[0].name
$appgatewayID = az network application-gateway show -n "Venkat-app-gateway" -g "application-RG" --query id -o tsv
$privatelink = az network application-gateway private-link add --frontend-ip "appGwPublicFrontendIpIPv4" --name "privateLinkConfig01" --subnet "/subscriptions/8332bf56-aa7c-4daa-a507-d7e60e5f09a9/resourceGroups/application-RG/providers/Microsoft.Network/virtualNetworks/App-Vnet/subnets/App-subnet" --gateway-name "Venkat-app-gateway" --resource-group "application-RG"
$privatelink = az network application-gateway private-link list --gateway-name "Venkat-app-gateway" --resource-group "application-RG"
$appprivatelinkJson = $privatelink | ConvertFrom-Json
$frontendipconfiguration = $appprivatelinkJson[0].name
az network private-endpoint create --name "AppGWPrivateEndpoint2" --resource-group "application-RG" --vnet-name "App-Vnet" --subnet "APP-Subnet2" --group-id $groupid --private-connection-resource-id $appgatewayID --connection-name $frontendipconfiguration
Output:
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs