azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

Built-in policy "Configure a private DNS Zone ID for table groupID" wrongly applies to Azure CosmosDB for table private endpoints

Open juanandmsft opened this issue 2 years ago • 0 comments

Details of the scenario you tried and the problem that is occurring

The built-in policy "Configure a private DNS Zone ID for table groupID" (028bbd88-e9b5-461f-9424-a1b63a7bee1a) only filters on "groupId", but does not filter on "privateLinkServiceId" as other policies, such as "Configure Azure Synapse workspaces to use private DNS zones" (1e5ed725-f16c-478b-bd4b-7bfa2f7940b9).

Because Azure CosmosDB for Table also uses "table" groupId, the assignment of the table storage policy to a scope with an Azure CosmosDB for Table private endpoint causes it to be registered in the "privatelink.table.core.windows.net" zone, rather than in privatelink.table.cosmos.azure.com" zone.

image

Verbose logs showing the problem

Suggested solution to the issue

Modify the built-in policy for Azure Storage "table" groupId to also filter by "privateLinkServiceId", and not only by "groupId".

If policy is Guest Configuration - details about target node

juanandmsft avatar Jun 15 '23 10:06 juanandmsft