Governance Policies Azure Networking Private Endpoints - Azure/az-prototype GitHub Wiki
Governance policies for Private Endpoints
Domain: azure-networking
| Name | Description |
|---|---|
| Private Endpoint with DNS Zone and VNet Link | Complete private endpoint deployment with all four required components: PE, DNS Zone, VNet Link, DNS Zone Group |
| Description | Instead |
|---|---|
| Do not create a private endpoint without DNS configuration | Always create DNS Zone + VNet Link + DNS Zone Group alongside every private endpoint |
| Do not use custom DNS zone names | Use the exact Azure-defined privatelink.*.* zone name for each service |
| Do not place private endpoints in delegated subnets | Use a dedicated PE subnet (snet-pe) without delegations |
| Check | Severity | Description |
|---|---|---|
| AZ-PE-001 | Required | Every private endpoint must have a Private DNS Zone, VNet Link, and DNS Zone Group |
| AZ-PE-002 | Required | Use correct Private DNS Zone names for each Azure service |
| AZ-PE-003 | Required | Use standard naming convention: pe-{resource-name} for private endpoints |
| AZ-PE-004 | Recommended | Centralize Private DNS Zones in a shared resource group for multi-resource architectures |
Every private endpoint must have a Private DNS Zone, VNet Link, and DNS Zone Group
Severity: Required
Rationale: Without all three components, private endpoint DNS resolution fails and connections fall back to public endpoints
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/privateEndpoints
- Microsoft.Network/privateDnsZones
- Microsoft.Network/privateDnsZones/virtualNetworkLinks
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups
Use correct Private DNS Zone names for each Azure service
Severity: Required
Rationale: Each Azure service has a specific private DNS zone name; using the wrong name causes resolution failures
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/privateEndpoints
Use standard naming convention: pe-{resource-name} for private endpoints
Severity: Required
Rationale: Consistent naming enables automation and troubleshooting
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/privateEndpoints
Centralize Private DNS Zones in a shared resource group for multi-resource architectures
Severity: Recommended
Rationale: Avoids DNS zone sprawl and simplifies management; all PEs share the same zone per service type
Agents: cloud-architect
- Microsoft.Network/privateEndpoints