Reputation: 37
How to Restrict Subscription Access in Azure Application Gateway Private Link Shared with Another Tenant?
We're currently in the process of setting up a private endpoint for our Azure Application Gateway to be shared with another tenant. However, we've encountered an issue regarding approval.
We understand that anyone can add the resource ID of the application gateway to the private endpoint, which will then automatically grant approval. While this seems convenient, we're concerned about potential security implications and would prefer a more controlled approach.
Is there a way to ensure that only authorized individuals can add the resource ID of the application gateway to the private endpoint for approval? We want to maintain tighter control over access permissions to minimize security risks.
Any insights or best practices for managing this process would be greatly appreciated. Thank you!
Deployment of Azure AKS: We provisioned an Azure AKS cluster to host our containerized workloads securely.
Setup of Azure Application Gateway: An Azure Application Gateway has been deployed to serve as the frontend gateway for managing inbound traffic to our AKS applications.
Configuration of Private Link in Application Gateway: Within the Azure Application Gateway configuration, we enabled Private Link support to establish private connections.
Creation of Private Endpoints: In the Azure portal, we created Private Endpoints for the AKS services in the other tenant's Azure environment.
Sharing of Resource ID: We shared the resource ID of the Azure Application Gateway's Private Link endpoint with the other tenant.
Establishment of Connection: The other tenant utilized the provided resource ID to establish connections from their Private Endpoints to the Azure Application Gateway.
Verification of Connection: Within the Azure portal, we verified the successful establishment of connections from the other tenant's Private Endpoints to the Azure Application Gateway.
By following these steps, we've effectively set up Private Link connections between our Azure AKS cluster and the Azure Application Gateway, enabling multi-tenancy and ensuring secure communication between tenants and services.
Upvotes: 0
Views: 152
Answers (1)
Reputation: 3761
We understand that anyone can add the resource ID of the application gateway to the private endpoint,
This statement is correct.
which will then automatically grant approval.
This is not correct. Only if the user has sufficient permissions in both the subscription, the request will be auto approved.
I tried to repo this and I was expected to manually approve:
This is documented here
With that said,
You can make use of RBAC to provide access to only authorized/specific individuals to access the App gateway.
Should you feel you need a custom RBAC role for this, you can consider using
Microsoft.Network/applicationGateways/privateEndpointConnections/*permissionsKindly refer MS Doc in order to choose appropriate permissions according to your requirement.
Upvotes: 0
Related Questions
- How do I create a managed private endpoint in Synapse (and ADF) that will allow me to connect to data via application gateway
- Azure Private DNS Zone Link to VNets
- Azure App gateway ingress controller with private AKS cluster not working
- How to scale Websocket Connections with Azure Application Gateway and AKS
- Azure Application Gateway Ingress Controller - The number of BackendHttpSettings exceeds the maximum allowed value 100
- How to link custom domain to Azure Application Gateway
- How to configure Azure App Gateway in Istio
- Azure Application gateway