Merge pull request #308504 from mbender-ms/appgw-privateLink-gh127792

Application Gateway | Maintenance | fix portal instructions by adding disable network policy

Author: prmerger-automator[bot]

articles/application-gateway/private-link-configure.md

@@ -6,7 +6,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-application-gateway
 ms.topic: how-to
-ms.date: 11/5/2025
+ms.date: 11/18/2025
 ms.author: mbender
 ms.custom:
   - devx-track-azurecli, devx-track-azurepowershell
@@ -52,25 +52,40 @@ To enable Private Link configuration, you must create a dedicated subnet that's
 > [!IMPORTANT]
 > The combined length of the Application Gateway name and Private Link configuration name must not exceed 70 characters to avoid deployment failures.
 
-To create a dedicated subnet for Private Link, see [Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet).
+To create a dedicated subnet for Private Link, see [Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md).
+
+## Disable network policies on the Private Link subnet
+
+To allow Private Link connectivity, you must [disable the Private Link Service Network Policies](../private-link/disable-private-endpoint-network-policy.md#disable-network-policy) on the subnet designated for Private Link IP configurations.
+
+To disable network policies, follow these steps:
+1. Navigate to the [Azure portal](https://portal.azure.com).
+1. Search for and select **Virtual networks**.
+1. Select the virtual network containing the Private Link subnet.
+1. In the left navigation pane, select **Subnets**.
+1. Select the subnet designated for Private Link.
+1. Under **Private link service network policies**, select **Disabled**.
+1. Select **Save** to apply the changes.
+    1. Wait a few minutes for the changes to take effect.
+1. verify that the **Private link service network policies** setting is now **Disabled**.
 
 ## Configure Private Link
 
 The Private Link configuration defines the infrastructure that enables connections from Private Endpoints to your Application Gateway. Before creating the Private Link configuration, ensure that a listener is actively configured to use the target frontend IP configuration.
 
 Follow these steps to create the Private Link configuration:
 
-1. Navigate to the [Azure portal](https://portal.azure.com).
-2. Search for and select **Application Gateways**.
-3. Select your Application Gateway instance.
-4. In the left navigation pane, select **Private link**, then select **+ Add**.
-5. Configure the following settings:
+
+1. Search for and select **Application Gateways**.
+1. Select your Application Gateway instance.
+1. In the left navigation pane, select **Private link**, then select **+ Add**.
+1. Configure the following settings:
    - **Name**: Enter a name for the Private Link configuration
    - **Private link subnet**: Select the dedicated subnet for Private Link IP addresses
    - **Frontend IP Configuration**: Select the frontend IP configuration that Private Link should forward traffic to
    - **Private IP address settings**: Configure at least one IP address
-6. Select **Add** to create the configuration.
-7. From your Application Gateway settings, copy and save the **Resource ID**. This identifier is required when setting up Private Endpoints from different Microsoft Entra tenants.
+1. Select **Add** to create the configuration.
+1. From your Application Gateway settings, copy and save the **Resource ID**. This identifier is required when setting up Private Endpoints from different Microsoft Entra tenants.
 
 >[!CAUTION]
 >Private link configuration will momentarily cause traffic disruption (less than 1 minute) while the change is applied. Changes are recommended to be conducted during a maintenance window or period of low-traffic.  During this time, you may see connection timeouts or 4XX http status codes returned on request.  Add/Remove/Approval/Rejection of private endpoints will not cause traffic disruption.
@@ -82,23 +97,23 @@ A Private Endpoint is a network interface that uses a private IP address from yo
 To create a Private Endpoint, follow these steps:
 
 1. In the Application Gateway portal, select the **Private endpoint connections** tab.
-2. Select **+ Private endpoint**.
-3. On the **Basics** tab:
+1. Select **+ Private endpoint**.
+1. On the **Basics** tab:
    - Configure the resource group, name, and region for the Private Endpoint
    - Select **Next: Resource >**
-4. On the **Resource** tab:
+1. On the **Resource** tab:
    - Verify the target resource settings
    - Select **Next: Virtual Network >**
-5. On the **Virtual Network** tab:
+1. On the **Virtual Network** tab:
    - Select the virtual network and subnet where the Private Endpoint network interface will be created
    - Select **Next: DNS >**
-6. On the **DNS** tab:
+1. On the **DNS** tab:
    - Configure DNS settings as needed
    - Select **Next: Tags >**
-7. On the **Tags** tab:
+1. On the **Tags** tab:
    - Optionally add resource tags
    - Select **Next: Review + create >**
-8. Review the configuration and select **Create**.
+1. Review the configuration and select **Create**.
 
 > [!IMPORTANT]
 > If the public or private IP configuration resource is missing when trying to select a _Target sub-resource_ on the _Resource_ tab of private endpoint creation, ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener can't be shown as a _Target sub-resource_.
@@ -271,4 +286,4 @@ To learn more about Azure Private Link and related services:
 - [What is Azure Private Link?](../private-link/private-link-overview.md)
 - [Application Gateway Private Link overview](private-link.md)
 - [Private Link service overview](../private-link/private-link-service-overview.md)
-- [Private endpoints overview](../private-link/private-endpoint-overview.md)
+- [Private endpoints overview](../private-link/private-endpoint-overview.md)