I'm relatively new to Azure with about eight months of experience, primarily coming from an AWS background. I've set up a Hub & Spoke model using Infrastructure as Code with Bicep and PowerShell scripts and have been working to ensure that developers' requirements are met. Recently, a request came in asking to associate "management.azure.com" with a private endpoint. This has raised some concerns for me, as I want to ensure we're making the right choices in our setup.
For context, our current environment includes several spokes: Spoke-Dev for applications (mostly containers), ACR for container registry, GHR for GitHub-hosted runners, and Conn for our VPN gateway and Azure Firewall, which connects to our on-premises resources. There's also a private DNS resolver for conditional forwarding between on-prem and Azure.
All I have from the developers right now is a request for a private endpoint for 'management.azure.com' in the Conn subscription. I'm unsure if this is a standard practice or a potential issue. Should I be pushing back on this request?
5 Answers
It sounds like someone might just be going through the motions without truly understanding the request. They may feel that having everything on a private network means they need a private endpoint for management.azure.com, but that’s not necessarily how it works.
You can't really associate 'management.azure.com' with a private endpoint because that's part of the Azure Resource Manager (ARM) control plane. It seems like the developers might be trying to restrict access to that management endpoint, but there are better ways to do it. It's worth checking with them to clarify their actual goals before moving forward with this request.
Usually, developers don't communicate their operational requests clearly. It might help to ask them to explain exactly what they're trying to achieve. Once you get more details, you might find out they actually want something entirely different.
They might not realize that even without a private endpoint, traffic to management.azure.com stays within Microsoft's global network and never hits the public Internet. So, you could remind them of that to provide some clarity.
As it turns out, while it isn't typically needed, it is actually supported. You can set up a private link for resource management. However, be aware that some Azure services like AKS and Bastion aren't compatible with it, so that could create problems for organizations if they rely on those services.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures