Working on a Terraform script to deploy a Private Link Service. This a part of my script:
resource "azurerm_resource_group" "example" {
name = "RG6"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vnet"
address_space = ["10.5.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.5.1.0/24"]
private_endpoint_network_policies_enabled = false
}
resource "azurerm_public_ip" "example" {
name = "example-api"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
}
resource "azurerm_lb" "example" {
name = "example-lb"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
frontend_ip_configuration {
name = azurerm_public_ip.example.name
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_private_link_service" "example" {
name = "example-privatelink"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
load_balancer_frontend_ip_configuration_ids = [azurerm_lb.example.frontend_ip_configuration[0].id]
auto_approval_subscription_ids = [local.subscription_id]
visibility_subscription_ids = [local.subscription_id]
nat_ip_configuration {
name = "primary"
subnet_id = azurerm_subnet.example.id
primary = true
private_ip_address = "10.5.1.17"
}
nat_ip_configuration {
name = "secondary"
private_ip_address = "10.5.1.18"
private_ip_address_version = "IPv4"
subnet_id = azurerm_subnet.example.id
primary = false
}
}
At run I get this error message:
│ Error: creating Private Link Service: (Name "example-privatelink" / Resource Group "RG6"): network.PrivateLinkServicesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateLinkServiceCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private link service /subscriptions/XXXXXXX/resourceGroups/RG6/providers/Microsoft.Network/privateLinkServices/example-privatelink cannot be created in a subnet /subscriptions/XXXXXXX/resourceGroups/RG6/providers/Microsoft.Network/virtualNetworks/example-vnet/subnets/example-subnet since it has private link service network policies enabled." Details=[] │ │ with azurerm_private_link_service.example, │ on config.tf line 83, in resource "azurerm_private_link_service" "example": │ 83: resource "azurerm_private_link_service" "example" {
My question
Why I get this message. I set this parameter false :
private_endpoint_network_policies_enabled = false
This is asked from doc: https://learn.microsoft.com/en-us/azure/private-link/private-link-faq
I tested for true just to check, same result.
This example is inspired from the doc: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_link_service
I do agree with fredrik for suggesting the same point.
The error you are encountered that subnet has
private link service network policies enabled, which is preventing the creation of the private link service.To resolve the issue, you should disable the private link service network policies for the subnet by setting the
private_link_service_network_policies_enabled = falsewithin the subnet module.Terraform apply result, without using the
private_link_service_network_policies_enabled = falsein the subnet module.Terraform apply result, after setting
private_link_service_network_policies_enabled = falsein the subnet moduleReference: azurerm_subnet