Azure-sdk-for-python: Getting `BadRequest` exception when creating `private_endpoints`

Created on 22 Jun 2020 · 7Comments · Source: Azure/azure-sdk-for-python

Package Name: azure.mgmt.network -> NetworkManagementClient
Package Version: v10.2.0 -- API v2020_04_01
Operating System: MacOS
Python Version: 3.6
Describe the bug
I am getting s Bad request error with the following private endpoint creation :

        async_pe_test_creation = network_client.private_endpoints.create_or_update(
            resource_group_name="test",
            private_endpoint_name=resource_name,
            parameters=PrivateEndpoint(
                location= location,
                subnet=Subnet(id=snet.id),
                manual_private_link_service_connections=[
                   PrivateLinkServiceConnection(
                    name=resource_name,
                    private_link_service_id=resource_id,
                    group_ids=["blob"]
                    )
                ]
            ),
        )

The exception I am getting is:
azure.mgmt.network.v2020_04_01.models._models_py3.ErrorException: Operation returned an invalid status code 'Bad Request'

To Reproduce
run the snippet above.

Expected behavior

Creation of a private_endpoints in Azure cloud.

Mgmt Network - Private Link Service Attention customer-reported question

Source

ndjido

All 7 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

msftbot[bot] on 23 Jun 2020

👍1

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

msftbot[bot] on 24 Jun 2020

@timMSFT , Hi there! Any update about this issue?

ndjido on 5 Jul 2020

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @vnetsuppgithub.

msftbot[bot] on 12 Aug 2020

While searching for a similar solution, I found that the "Bad Request" may be a result of the virtual_network and/or subnet not being set to allow private_endpoints properly.

By befault, virtual_networks and subnets look to have this property enabled... and in order to get it to work correctly, it must be disabled... (or at least that's what the azure portal seems to do before creating a private endpoint for my Sql Server via the portal).

'private_endpoint_network_policies': 'Disabled'

I found this out while playing with Azure SQL Server creations in the azure portal, and noticed the "blurb" about:

"if you have a network security group (NSG) enabled for the subnet above, it will be disabled for private endpoints on this subnet only"

... and then i compared subnets and vnets that were working versus not working.

I would guess that if you modify the virtual_network/subnet to set this property 'Disabled' first you won't get the "Bad Request".

In my case, I just created a sql server with a private endpoint in this virtual network from the portal first, and let it handle the modifications for me.. now I need to go back and write the python to update the subnet/vnet so I can create the private endpoint using any vnet/subnet (handling the prerequisite modification first - if necessary).

HTH, but if this doesnt solve your problem, I hope MS gets back to you with a solution.

My $.02

validated... it works as long as the private_endpoint_network_policies are Disabled on the subnet. disabling it on the subnet looks to modify the virtual_network property, as well (or maybe it inherits it... not sure which).