How to Resolve the Invalid resource type in private link service Error
Issue
You receive the following error message:
Private link service Id /subscriptions/{subscriptionIdentifier}/resourceGroups/{resourceGroupIdentifier}/providers/Microsoft.Network/privateEndpoints/{privateEndpointIdentifier} has an invalid resource type. Permitted type(s): Microsoft.DocumentDB/databaseAccounts, Microsoft.Sql/servers, Microsoft.Network/privateLinkServices, Microsoft.Web/sites, Microsoft.Web/hostingEnvironments, Microsoft.Storage/storageAccounts, Microsoft.DBforPostgreSQL/servers, Microsoft.DBforMySQL/servers, Microsoft.DBforMariaDB/servers, Microsoft.KeyVault/vaults, Microsoft.Synapse/workspaces, Microsoft.AppConfiguration/configurationStores, Microsoft.Search/searchServices, Microsoft.ContainerService/managedClusters, Microsoft.Attestation/attestationProviders, Microsoft.Devices/IotHubs, Microsoft.Cache/Redis, Microsoft.SignalRService/SignalR, Microsoft.MachineLearningServices/workspaces, Microsoft.Batch/batchAccounts, Microsoft.ContainerRegistry/registries, Microsoft.RecoveryServices/vaults, Microsoft.EventGrid/topics, Microsoft.EventGrid/domains, Microsoft.EventHub/namespaces, Microsoft.ServiceBus/namespaces, Microsoft.Relay/namespaces, Microsoft.StorageSync/storageSyncServices, Microsoft.HealthcareApis/services, Microsoft.Automation/automationAccounts, Microsoft.Insights/privateLinkScopes, Microsoft.CognitiveServices/accounts, Microsoft.Compute/diskAccesses, Microsoft.Network/applicationgateways, Microsoft.Media/mediaservices, Microsoft.Databricks/workspaces, Microsoft.Sql/managedInstances, Microsoft.Migrate/assessmentProjects, Microsoft.Migrate/migrateProjects, Microsoft.DataFactory/factories, Microsoft.Authorization/resourceManagementPrivateLinks, Microsoft.Devices/ProvisioningServices, Microsoft.Synapse/privateLinkHubs, Microsoft.PowerBI/privateLinkServicesForPowerBI, Microsoft.Cache/redisEnterprise, Microsoft.HybridCompute/privateLinkScopes, Microsoft.OffAzure/mastersites, Microsoft.TimeSeriesInsights/environments, Microsoft.DigitalTwins/digitalTwinsInstances, Microsoft.Keyvault/managedHSMs, Microsoft.Kusto/clusters, Microsoft.Purview/accounts, Microsoft.Web/staticSites, Microsoft.SignalRService/webPubSub, Microsoft.DeviceUpdate/accounts, Microsoft.DBforPostgreSQL/serverGroupsv2, Microsoft.HealthcareApis/workspaces, Microsoft.ApiManagement/service, Microsoft.HDInsight/clusters, Microsoft.DesktopVirtualization/hostpools, Microsoft.DesktopVirtualization/workspaces, Microsoft.Media/videoanalyzers, Microsoft.IoTCentral/IoTApps, Microsoft.EventGrid/partnerNamespaces, Microsoft.BotService/botServices, Microsoft.AgFoodPlatform/farmBeats, Microsoft.NotificationHubs/namespaces, Microsoft.VideoIndexer/accounts, Microsoft.OpenEnergyPlatform/energyServices, Microsoft.Dashboard/grafana, Microsoft.DBforMySQL/flexibleServers, Microsoft.MachineLearningServices/registries, Microsoft.DBforPostgreSQL/flexibleServers, Microsoft.HardwareSecurityModules/cloudHsmClusters, Microsoft.Logic/integrationAccounts, Microsoft.Monitor/accounts, Microsoft.EventGrid/namespaces, Microsoft.ElasticSan/elasticSans, Microsoft.DocumentDB/mongoClusters, Microsoft.Chaos/privateAccesses, Microsoft.App/managedEnvironments, Microsoft.HealthDataAIServices/DeidServices
Environment
All database connectors Connection method: Private networking
Understanding the problem
Your target resource ID uses the Microsoft.Network/privateEndpoints resource type, which isn’t a valid Private Endpoint target. A Private Endpoint must point to a Private Link–enabled service (for example, Microsoft.Sql/servers, Microsoft.Storage/storageAccounts, Microsoft.KeyVault/vaults) or a Private Link Service (for example, Microsoft.Network/privateLinkServices). See the error message for the full list of allowed types.
Causes and solutions
Validation failed because the target resource ID isn’t a supported Private Link type.
Identify the Azure service you actually want to reach, such as SQL, Storage, Key Vault or a Private Link Service, and update the Private Endpoint to use that service’s resource ID, along with the correct sub-resource or group ID. Correcting the ID resolves the error.
Resolution
Identify the actual Azure service you want to reach.
- If the target service already has a Private Endpoint, use the service’s resource ID for your new Private Endpoint (For example,
/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Sql/servers/{server}). - If the service doesn’t support Private Link, use another networking option.
- If using a Private Link Service (PLS), the ID must be
/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/privateLinkServices/{pls_name}and the typeMicrosoft.Network/privateLinkServices.
- If the target service already has a Private Endpoint, use the service’s resource ID for your new Private Endpoint (For example,
Get the exact resource ID.
In the Azure Portal
- Navigate to the Azure service you want to connect to (for example, your Azure SQL Server, Storage Account, or Azure Cosmos DB account).
- Click Settings → Properties, find Resource ID and click the copy icon. Or, on the resource’s Overview page, click JSON view, and copy the value of id.
Using Azure CLI
Get the resource ID of an Azure SQL Server:
az sql server show --name <your-sql-server-name> --resource-group <your-resource-group> --query id --output tsvGet the resource ID of a storage account:
az storage account show --name <your-storage-account-name> --resource-group <your-resource-group> --query id --output tsvGet the resource ID of a Private Link Service:
az network private-link-service show --name <your-pls-name> --resource-group <your-resource-group> --query id --output tsvUpdate the Private Endpoint to use that ID, and pick the correct subresource/group ID (for example,
sqlServerfor SQL,blobfor Storage).