Document Details
Service Endpoint Policies
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
windows_first
⚠️
missing_linux_example
Summary:
The documentation provides both Azure CLI and PowerShell examples, but the scripting style and variable assignment syntax in the Azure CLI section is heavily influenced by PowerShell conventions (e.g., use of $variable, [String[]] arrays), which are not idiomatic for Bash or Linux shells. The PowerShell example is given in full, but there is no dedicated Bash/Linux shell script or example. The documentation assumes familiarity with PowerShell scripting, which is Windows-centric, and does not provide Linux-native command or scripting patterns.
Recommendations:
- Provide a dedicated Bash/Linux shell example using Azure CLI, with variable assignment and array handling in Bash style (e.g., VAR=value, arrays with parentheses).
- Avoid using PowerShell variable syntax ($var) and array notation ([String[]]) in Azure CLI examples; use syntax that is idiomatic for the target shell.
- Explicitly mention that Azure CLI commands can be run from any OS, and provide examples in both Windows (PowerShell) and Linux (Bash) scripting styles.
- Add a section or callout for Linux users, clarifying how to adapt the steps for Bash or other common Linux shells.
- Ensure parity in the depth and completeness of examples for both Windows and Linux environments.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
$subscriptionId = "<subscription id>"
$rgName="<resource group name> "
$location="<location name>"
$vnetName="<vnet name>"
$subnetName="<subnet name>"
$sepName="<service endpoint policy name>"
$sepDefName="<service endpoint policy definition name>"
# Set to the right subscription ID
az account set --subscription $subscriptionId
# setup service endpoint on the virtual network subnet
az network vnet subnet update -g $rgName --vnet-name $vnetName -n $subnetName --service-endpoints Microsoft.Storage
# Create Service Endpoint Policy
az network service-endpoint policy create -g $rgName -n $sepName -l $location
# Insert the list of HDInsight owned resources for the region your clusters will be created in.
# Be sure to get the most recent list of resource groups from the [list of service endpoint policy resources](https://github.com/Azure-Samples/hdinsight-enterprise-security/blob/main/hdinsight-service-endpoint-policy-resources.json)
[String[]]$resources = @("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Storage-WestUS",`
"/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/GenevaWarmPathManageRG",`
"/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/GenevaWarmPathManageRG",`
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/Default-Storage-CanadaCentral",`
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/cancstorage",`
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/GenevaWarmPathManageRG",
"/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/hdi31distrorelease",
"/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/bigdatadistro")
#Assign service resources to the SEP policy.
az network service-endpoint policy-definition create -g $rgName --policy-name $sepName -n $sepDefName --service "Microsoft.Storage" --service-resources $resources
# Associate a subnet to the service endpoint policy just created. If there is a delay in updating it to subnet, you can use the Azure portal to associate the policy with the subnet.
az network vnet subnet update -g $rgName --vnet-name $vnetName -n $subnetName --service-endpoint-policy $sepName
#Script to assign SEP
$subscriptionId = "<subscription id>"
$rgName = "<resource group name>"
$vnetName = "<vnet name>"
$subnetName = "<subnet Name"
$location = "Canada Central"
# Connect to your Azure Account
Connect-AzAccount
# Select the Subscription that you want to use
Select-AzSubscription -SubscriptionId $subscriptionId
# Retrieve VNet Config
$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name $vnetName
# Retrieve Subnet Config
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet
# Insert the list of HDInsight owned resources for the region your clusters will be created in.
# Be sure to get the most recent list of resource groups from the [list of service endpoint policy resources](https://github.com/Azure-Samples/hdinsight-enterprise-security/blob/main/hdinsight-service-endpoint-policy-resources.json)
[String[]]$resources = @("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Storage-WestUS",
"/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/GenevaWarmPathManageRG",
"/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/GenevaWarmPathManageRG",
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/Default-Storage-CanadaCentral",
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/cancstorage",
"/subscriptions/dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b/resourceGroups/GenevaWarmPathManageRG",
"/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/hdi31distrorelease",
"/subscriptions/eeee4efe-ff5f-aa6a-bb7b-cccccc8c8c8c/resourceGroups/DistroStorageRG/providers/Microsoft.Storage/storageAccounts/bigdatadistro")
#Declare service endpoint policy definition
$sepDef = New-AzServiceEndpointPolicyDefinition -Name "SEPHDICanadaCentral" -Description "Service Endpoint Policy Definition" -Service "Microsoft.Storage" -ServiceResource $resources
# Service Endpoint Policy
$sep= New-AzServiceEndpointPolicy -ResourceGroupName $rgName -Name "SEPHDICanadaCentral" -Location $location -ServiceEndpointPolicyDefinition $sepDef
# Associate a subnet to the service endpoint policy just created. If there is a delay in updating it to subnet, you can use the Azure portal to associate the policy with the subnet.
Set-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet -AddressPrefix $subnet.AddressPrefix -ServiceEndpointPolicy $sep