AppService_PublicNetworkAccess_AINE: why does it trigger although private endpoints used?

[anrub]

I assigned the AppService_PublicNetworkAccess_AINE policy, and it matches non-compliant AppServices, that are using private endpoints. I don't understand why the policy is matching, altough there is no public network access used?

[techlake]

There is a property on the resource to disable public access. You must set that flag. This is by design (IMO since I'm not part of the Policy team.

[anrub]

But the property does not exist (not in the template and not in the portal). And the private endpoint means that there is no public network access.

[nehakulkarni123]

@anrub, can explain what you mean by 'the policy is matching'? Do you feel like the compliance is not what you expect?

Not sure if this is related to your question, but just want to clarify that public network access != private endpoints. This policy is meant to flag App Service resources that do not have public network access disabled solely-- there is another policy definition in our built-in library that users can leverage to programmatically apply a private endpoint resource on their App Service resources.

If you are still experiencing this issue-- feel free to re-open this issue.

[anrub]

I am not sure if I understand that correctly. The policy does not validate if there is public network access (e.g if there is private endpoint there is no public internet accesibility), but it is just a "flag" like a "tag" ? Would be good if that were somewhere noticed, like in a description of the policy or something.

How could I tag an appservice with that property? I don't see a field for this in terraform.