Error: Invalid Group ID for Third-Party Resource
Issue
The following error message appears:
Private link service connection /subscriptions/{subscriptionIdentifier}/resourceGroups/{resourceGroupIdentifier}/providers/Microsoft.Network/privateEndpoints/{privateEndpointIdentifier}/manualPrivateLinkServiceConnections/{manualPrivateLinkServiceConnectionIdentifier} has the following group Id(s): sqlServer.
Group Ids are not valid when connecting to a third party resource (/subscriptions/{otherSubscriptionIdentifier}/resourceGroups/{otherResourceGroupIdentifier}/providers/Microsoft.Network/privateLinkServices/{privateLinkServiceIdentifier}).
Environment
- All database connectors
- Connection method: Private networking
Understanding the problem
- The private endpoint
{privateEndpointIdentifier}is the private endpoint you are connecting to. - The private link service (PLS)
{privateLinkServiceIdentifier}is the third-party resource provided by Fivetran (or a service they manage on your behalf). A PLS allows you to expose your own service (or a third-party's service) privately to consumers in different virtual networks or subscriptions. sqlServergroup ID is the key to the error. When you create a private endpoint, you specify a target sub-resource or a group ID that tells the private endpoint what specific part of the target service you want to connect to.- For Azure PaaS services, such as Azure SQL Database, Azure Storage, and Azure Key Vault, these group IDs are predefined by Azure. For example,
sqlServer,blob, andvault. - For Private Link Services (PLS), which are custom services, the group IDs are defined by the provider of that PLS. They are not the standard Azure PaaS group IDs.
- For Azure PaaS services, such as Azure SQL Database, Azure Storage, and Azure Key Vault, these group IDs are predefined by Azure. For example,
The error message indicates that you're trying to connect to a custom private link service, {privateLinkServiceIdentifier}, but you're using a group ID, sqlServer, that is only valid for Azure's own SQL server PaaS service. This private link service doesn't expose a sub-resource called sqlServer.
Cause
This issue occurs when you select a resource type that looks like a SQL server when creating the private endpoint or when you manually enter sqlServer as the group ID because you're connecting to a SQL source. However, Fivetran exposes the service through a private link service (PLS), not directly through an Azure SQL database. The PLS has its own internal naming for the resources it exposes.
Resolution
To resolve this issue, recreate or modify the private endpoint with the correct group ID. You can do so in two ways:
- Recreate the private endpoint (recommended for clarity).
- Attempt to modify the private endpoint (less common, but possible via ARM template or CLI/PowerShell).
Option 1: Recreate the private endpoint
- Delete the existing private endpoint:
{privateEndpointIdentifier}. - Create a new private endpoint in the Azure Portal or via Azure CLI/PowerShell:
- When you reach the Resource tab (or equivalent for CLI/PowerShell), under Resource type, select Microsoft.Network/privateLinkServices and then choose your Private Link Service,
{privateLinkServiceIdentifier}. - Enter your group ID in the Target sub-resource (or similar) field. This value corresponds to your Fivetran subresource name. Possible values include:
managedInstancesqlServerblobnamespacepostgresqlServersqlMongoDB
- Complete the rest of the private endpoint creation.
- When you reach the Resource tab (or equivalent for CLI/PowerShell), under Resource type, select Microsoft.Network/privateLinkServices and then choose your Private Link Service,
Option 2: Attempt to modify
You can directly modify an existing private endpoint's groupIds property using Azure Resource Manager (ARM) templates, the Azure CLI (az network private-endpoint update), or Azure PowerShell (Set-AzPrivateEndpoint). You must find the manualPrivateLinkServiceConnections property within your private endpoint's definition and update the groupIds array with the correct value provided by Fivetran. See the example below:
az network private-endpoint update \
--resource-group {resourceGroupIdentifier} \
--name {privateEndpointIdentifier} \
--private-connection-resource-id "/subscriptions/{otherSubscriptionIdentifier}/resourceGroups/{otherResourceGroupIdentifier}/providers/Microsoft.Network/privateLinkServices/{privateLinkServiceIdentifier}" \
--group-ids "<TheCorrectFivetranGroupId>" # <-- THIS IS THE KEY CHANGE
You might need to adjust parameters based on your exact private endpoint configuration and the manualPrivateLinkServiceConnections structure.