Merge pull request #288427 from AbdullahBell/patch-841010

prmerger-automator[bot] · web-flow · commit 201a78374e96 · 2024-10-15T18:37:57.000Z
Private Link: Minor Update: Manage network policies for private endpoints
diff --git a/articles/private-link/disable-private-endpoint-network-policy.md b/articles/private-link/disable-private-endpoint-network-policy.md
@@ -18,10 +18,10 @@ By default, network policies are disabled for a subnet in a virtual network. To
 
 You can enable network policies either for network security groups only, for user-defined routes only, or for both.
 
-If you enable network security policies for user-defined routes, you can use a custom address prefix equal to or larger than the virtual network address space to invalidate the /32 default route propagated by the private endpoint. This capability can be useful if you want to ensure that private endpoint connection requests go through a firewall or virtual appliance. Otherwise, the /32 default route sends traffic directly to the private endpoint in accordance with the [longest prefix match algorithm](../virtual-network/virtual-networks-udr-overview.md#how-azure-selects-a-route).
+If you enable network security policies for user-defined routes, you can use a custom address prefix length (subnet mask) equal to or larger than the virtual network address space prefix length to invalidate the /32 default route propagated by the private endpoint. This capability can be useful if you want to ensure that private endpoint connection requests go through a firewall or virtual appliance. Otherwise, the /32 default route sends traffic directly to the private endpoint in accordance with the [longest prefix match algorithm](../virtual-network/virtual-networks-udr-overview.md#how-azure-selects-a-route).
 
 > [!IMPORTANT]
-> To invalidate a private endpoint route, user-defined routes must have a prefix equal to or larger than the virtual network address space where the private endpoint is provisioned. For example, a user-defined routes default route (0.0.0.0/0) doesn't invalidate private endpoint routes. Network policies should be enabled in the subnet that hosts the private endpoint.
+> To invalidate a private endpoint route, user-defined routes must have a prefix size that is equal to or smaller than the virtual network address space where the private endpoint is provisioned. For example, a user-defined routes default route (0.0.0.0/0) won't invalidate private endpoint routes because it covers a broader range than the private endpoint's address space. The longest prefix match rule will give higher priority to more specific address prefixes. Additionally, ensure that network policies are enabled in the subnet hosting the private endpoint.
 
 Use the following steps to enable or disable network policy for private endpoints:
 
@@ -204,4 +204,4 @@ This section describes how to disable subnet private endpoint policies by using
 
 ## Next steps
 
-- To learn more, see [What is a private endpoint?](private-endpoint-overview.md).
+- To learn more, see [What is a private endpoint?](private-endpoint-overview.md).
