Share via

Subnet peering and private endpoints auto-routes

Stefano Merotta 20 Reputation points
2026-04-15T11:24:24.8633333+00:00

Hello, I've just tried the relatively new subnet peering feature with the goal to not advertise private endpoint auto-routes from not-peered subnets but it seems worse than the normal VNET peering:

  • The PE auto-route is still created in the peered VNET regardless its subnet was not one of the peered subnets
  • The Private Endpoint Network Policy doesn’t work anymore: you can’t override the PE auto-route by defining an UDR that overwrite the VNET address space nor the specific subnet address space
  • You can only overwrite the PE auto-route with a specific UDR /32 for EVERY PE in the peered VNET: that was the same behavior before the Private Endpoint Network Policy introduction

From our tests it seems that the subnet peering is just a VNET peering that narrow the advertised route spaces to selected subnets and make useless the PE Network Policies,: this would reduce the usefulness of this feature.

I didn't find any reference to PE routes behavior for subnet peering in any official doc or MS blogs.

Is this a bug or the expected behavior?

Thanks!

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

0 comments

Answer accepted by question author

  1. Ravi Varma Mudduluru 11,315 Reputation points Microsoft External Staff Moderator
    2026-04-15T13:52:46.9033333+00:00

    Hello @ Stefano Merotta,

    Thank you for reaching out to Microsoft Q&A.
    The /32 auto-routes from Private Endpoints are still being injected into the peered VNet even when the PE lives in a non-peered subnet, and the Private Endpoint Network Policy no longer lets you override them with a broader UDR (VNet or subnet-level). You’re back to needing a /32 UDR per endpoint, which is exactly the pre-policy experience.

    The current implementation narrows the advertised address spaces for normal traffic, but the PE /32 system routes and the network-policy override logic haven’t fully caught up.

    Recommended solution right now:

    The cleanest workaround Microsoft suggests for this preview behavior is to use Network Security Groups instead of relying on route overrides:

    • Enable NSGs on the relevant subnets in the peered VNet.
    • Create rules that explicitly allow or deny traffic to the specific Private Endpoint private IPs (or the subnet they sit in).

    This gives you the isolation you were aiming for without having to manage one /32 route per endpoint. It’s the same mitigation Microsoft calls out for other routing limitations in subnet peering while the feature matures.

    If NSGs don’t fit your design, the other short-term options are:

    • Fall back to full VNet peering + Private Endpoint Network Policies (which works as expected today), or
    • Place all your Private Endpoints in a subnet that is part of the subnet peering.

    Useful links:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "upvote" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.