Unclear error message while creating private endpoint

[bim-msft]

Describe the bug
In the help message of az network private-endpoint create, the parameter group Id is not required:

Command
    az network private-endpoint create : Create a private endpoint.
        This command is in preview. It may be changed/removed in a future release.
Arguments
    --connection-name                [Required] : Name of the private link service connection.
    --name -n                        [Required] : Name of the private endpoint.
    --private-connection-resource-id [Required] : The resource id of which private enpoint connect
                                                  to.
    --resource-group -g              [Required] : Name of resource group. You can configure the
                                                  default group using `az configure --defaults
                                                  group=<name>`.
    --subnet                         [Required] : Name or ID of an existing subnet. If name is
                                                  specified, also specify --vnet-name.
    --group-ids                                 : The ID(s) of the group(s) obtained from the remote
                                                  resource that this private endpoint should connect
                                                  to. You can use "az network private-resource show
                                                  to obtain the list of group ids.".
    --location -l                               : Location. Values from: `az account list-
                                                  locations`. You can configure the default location
                                                  using `az configure --defaults
                                                  location=<location>`.
    --manual-request                            : Use manual request to establish the connection.
                                                  Allowed values: false, true.
    --request-message                           : A message passed to the owner of the remote
                                                  resource with this connection request. Restricted
                                                  to 140 chars.
    --tags                                      : Space-separated tags in 'key[=value]' format. Use
                                                  "" to clear existing tags.
    --vnet-name                                 : The virtual network (VNet) associated with the
                                                  subnet (Omit if supplying a subnet id).

Global Arguments
    --debug                                     : Increase logging verbosity to show all debug logs.
    --help -h                                   : Show this help message and exit.
    --output -o                                 : Output format.  Allowed values: json, jsonc, none,
                                                  table, tsv, yaml.  Default: json.
    --query                                     : JMESPath query string. See http://jmespath.org/
                                                  for more information and examples.
    --subscription                              : Name or ID of subscription. You can configure the
                                                  default subscription using `az account set -s
                                                  NAME_OR_ID`.
    --verbose                                   : Increase logging verbosity. Use --debug for full
                                                  debug logs.

Examples
    Create a private endpoint.
        az network private-endpoint create -g MyResourceGroup -n MyPE --vnet-name MyVnetName
        --subnet MySubnet --private-connection-resource-id ""/subscriptions/00000000-0000-0000-0000-
        000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/privateLinkServices/
        MyPLS"" --connection-name tttt -l centralus

For more specific examples, use: az find "az network private-endpoint create"

And there is no group Id in above example too.
But actually, this parameter is required, please see the command below:

To Reproduce
az network private-endpoint create -g bim-rg -n bim-pe --vnet-name bim-vnet2 --subnet default --private-connection-resource-id "/subscriptions/xxxxxxxxxx/resourceGroups/bim-rg/providers/Microsof t.KeyVault/vaults/bim-kv-normal" --connection-name bim-pls -l eastus2euap

Error:
MissingParameterOnPrivateLinkServiceConnection - Private link service connection /subscriptions/xxxxxx/resourceGroups/bim-rg/providers/Microsoft.Network/privateEndpoints/bim-pe/privateLinkServiceConnections/bim-pls i s missing required parameter 'group Id'.

Environment summary
dev branch 93a50bb

Additional information
Finally, I figured out that if I use a private link service resource id like /subscriptions/xxxxxxxx/resourceGroups/bim-rg/providers/Microsof t.Network/privateLinkServices/bim-pls, the error is gone. However, the previous error message is unclear and confused.

[bim-msft]

@myronfanqiu Please take a look.

[mmyyrroonn]

@bim-msft You're right. Group ids is not necessary when you add a private link service(PLS) into the private endpoint(PE). But it's necessary if you try to create a PE for first party like storage. So it cannot be marked as required. However, we haven't implement the command az network private-resource list currently. That may be the problem.

[mmyyrroonn]

Since you are trying to create PE for keyvault. I think it's time to support this functionality. I need to confirm with service team to check the server's status.

[bim-msft]

@myronfanqiu Thanks! Actually, I'm working on Private Endpoint feature for Key Vault command right now. PE for keyvault is available in regions eastus2euap and westcenturalus.

BTW, what does group-ids mean here, how can I obtain the right vault for it? Also, the help message: You can use "az network private-resource show to obtain the list of group ids." seems incorrect since there is no command group named private-resource for command network.

[bim-msft]

It seems that the group-id means sub resource name, see the screenshot:

[bim-msft]

We can use command az keyvault private-link-resource show to exactly obtain group id for a Key Vault in the future.