Azure RBAC permissions for Azure Private Link
Access management for cloud resources is a critical function for any organization. Azure role-based access control (Azure RBAC) manages access and operations of Azure resources.
To deploy a private endpoint or private link service a user must have assigned a built-in role such as:
You can provide more granular access by creating a custom role with the permissions described in the following sections.
Important
This article lists the specific permissions to create a private endpoint or private link service. Ensure you add the specific permissions related to the service you would like to grant access through private link, such as Microsoft.SQL Contributor Role for Azure SQL. For more information about built-in roles, see Role Based Access Control.
Microsoft.Network and the specific resource provider you are deploying, for example Microsoft.Sql, must be registered at the subscription level:
Private endpoint
This section lists the granular permissions required to deploy a private endpoint, manage private endpoint subnet policies, and deploy dependent resources
Action | Description |
---|---|
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourcegroups/resources/read | Read the resources for the resource group |
Microsoft.Network/virtualNetworks/read | Read the virtual network definition |
Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |
Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet. Not explicitly needed to deploy a private endpoint, but necessary for managing private endpoint subnet policies |
Microsoft.Network/virtualNetworks/subnets/join/action | Allow a private endpoint to join a virtual network |
Microsoft.Network/privateEndpoints/read | Read a private endpoint resource |
Microsoft.Network/privateEndpoints/write | Creates a new private endpoint, or updates an existing private endpoint |
Microsoft.Network/locations/availablePrivateEndpointTypes/read | Read available private endpoint resources |
Here is the JSON format of the above permissions. Input your own roleName, description, and assignableScopes:
{
"properties": {
"roleName": "Role Name",
"description": "Description",
"assignableScopes": [
"/subscriptions/SubscriptionID/resourceGroups/ResourceGroupName"
],
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/locations/availablePrivateEndpointTypes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Private link service
This section lists the granular permissions required to deploy a private link service, manage private link service subnet policies, and deploy dependent resources
Action | Description |
---|---|
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourcegroups/resources/read | Read the resources for the resource group |
Microsoft.Network/virtualNetworks/read | Read the virtual network definition |
Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |
Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet. Not explicitly needed to deploy a private link service, but necessary for managing private link subnet policies |
Microsoft.Network/privateLinkServices/read | Read a private link service resource |
Microsoft.Network/privateLinkServices/write | Creates a new private link service, or updates an existing private link service |
Microsoft.Network/privateLinkServices/privateEndpointConnections/read | Read a private endpoint connection definition |
Microsoft.Network/privateLinkServices/privateEndpointConnections/write | Creates a new private endpoint connection, or updates an existing private endpoint connection |
Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group |
Microsoft.Network/loadBalancers/read | Read a load balancer definition |
Microsoft.Network/loadBalancers/write | Creates a load balancer or updates an existing load balancer |
{
"properties": {
"roleName": "Role Name",
"description": "Description",
"assignableScopes": [
"/subscriptions/SubscriptionID/resourceGroups/ResourceGroupName"
],
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/privateLinkServices/read",
"Microsoft.Network/privateLinkServices/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/read",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Approval RBAC for private endpoint
Typically, a network administrator creates a private endpoint. Depending on your Azure role-based access control (RBAC) permissions, a private endpoint that you create is either automatically approved to send traffic to the API Management instance, or requires the resource owner to manually approve the connection.
Approval method | Minimum RBAC permissions |
---|---|
Automatic | Microsoft.Network/virtualNetworks/** Microsoft.Network/virtualNetworks/subnets/** Microsoft.Network/privateEndpoints/** Microsoft.Network/networkinterfaces/** Microsoft.Network/locations/availablePrivateEndpointTypes/read Microsoft.[ServiceProvider]/[resourceType]/privateEndpointConnectionsApproval/action |
Manual | Microsoft.Network/virtualNetworks/** Microsoft.Network/virtualNetworks/subnets/** Microsoft.Network/privateEndpoints/** Microsoft.Network/networkinterfaces/** Microsoft.Network/locations/availablePrivateEndpointTypes/read |
Next steps
For more information on private endpoint and private link services in Azure Private link, see: