diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 5e4ebd9dc52..23b194df3cb 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -71,27 +71,31 @@ type manager struct {
 	localFpAuthorizer autorest.Authorizer
 	metricsEmitter    metrics.Emitter
 
-	spGraphClient         *utilgraph.GraphServiceClient
-	disks                 compute.DisksClient
-	virtualMachines       compute.VirtualMachinesClient
-	interfaces            network.InterfacesClient // TODO: use armInterfaces instead.
-	armInterfaces         armnetwork.InterfacesClient
-	publicIPAddresses     network.PublicIPAddressesClient // TODO: use armPublicIPAddresses instead.
-	armPublicIPAddresses  armnetwork.PublicIPAddressesClient
-	loadBalancers         network.LoadBalancersClient // TODO: use armLoadBalancers instead.
-	armLoadBalancers      armnetwork.LoadBalancersClient
-	privateEndpoints      network.PrivateEndpointsClient
-	securityGroups        network.SecurityGroupsClient
-	deployments           features.DeploymentsClient
-	resourceGroups        features.ResourceGroupsClient
-	resources             features.ResourcesClient
-	privateZones          privatedns.PrivateZonesClient
-	virtualNetworkLinks   privatedns.VirtualNetworkLinksClient
-	roleAssignments       authorization.RoleAssignmentsClient
-	roleDefinitions       authorization.RoleDefinitionsClient
-	denyAssignments       authorization.DenyAssignmentClient
-	fpPrivateEndpoints    network.PrivateEndpointsClient
-	rpPrivateLinkServices network.PrivateLinkServicesClient
+	spGraphClient            *utilgraph.GraphServiceClient
+	disks                    compute.DisksClient
+	virtualMachines          compute.VirtualMachinesClient
+	interfaces               network.InterfacesClient // TODO: use armInterfaces instead.
+	armInterfaces            armnetwork.InterfacesClient
+	publicIPAddresses        network.PublicIPAddressesClient // TODO: use armPublicIPAddresses instead.
+	armPublicIPAddresses     armnetwork.PublicIPAddressesClient
+	loadBalancers            network.LoadBalancersClient // TODO: use armLoadBalancers instead.
+	armLoadBalancers         armnetwork.LoadBalancersClient
+	privateEndpoints         network.PrivateEndpointsClient // TODO: use armPrivateEndpoints instead.
+	armPrivateEndpoints      armnetwork.PrivateEndpointsClient
+	securityGroups           network.SecurityGroupsClient // TODO: use armSecurityGroups instead.
+	armSecurityGroups        armnetwork.SecurityGroupsClient
+	deployments              features.DeploymentsClient
+	resourceGroups           features.ResourceGroupsClient
+	resources                features.ResourcesClient
+	privateZones             privatedns.PrivateZonesClient
+	virtualNetworkLinks      privatedns.VirtualNetworkLinksClient
+	roleAssignments          authorization.RoleAssignmentsClient
+	roleDefinitions          authorization.RoleDefinitionsClient
+	denyAssignments          authorization.DenyAssignmentClient
+	fpPrivateEndpoints       network.PrivateEndpointsClient // TODO: use armFPPrivateEndpoints instead.
+	armFPPrivateEndpoints    armnetwork.PrivateEndpointsClient
+	rpPrivateLinkServices    network.PrivateLinkServicesClient // TODO: use armRPPrivateLinkServices instead.
+	armRPPrivateLinkServices armnetwork.PrivateLinkServicesClient
 
 	dns     dns.Manager
 	storage storage.Manager
@@ -137,7 +141,7 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		return nil, err
 	}
 
-	// TODO: Delete once the replace to track2 is done
+	// TODO: Delete once the replacement to track2 is done
 	fpAuthorizer, err := refreshable.NewAuthorizer(_env, subscriptionDoc.Subscription.Properties.TenantID)
 	if err != nil {
 		return nil, err
@@ -148,11 +152,17 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		return nil, err
 	}
 
+	fpCredRPTenant, err := _env.FPNewClientCertificateCredential(_env.TenantID())
+	if err != nil {
+		return nil, err
+	}
+
 	msiCredential, err := _env.NewMSITokenCredential()
 	if err != nil {
 		return nil, err
 	}
 
+	// TODO: Delete once the replacement to track2 is done.
 	msiAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().ResourceManagerScope)
 	if err != nil {
 		return nil, err
@@ -177,17 +187,37 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		},
 	}
 
+	armInterfacesClient, err := armnetwork.NewInterfacesClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	armPublicIPAddressesClient, err := armnetwork.NewPublicIPAddressesClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
 	armLoadBalancersClient, err := armnetwork.NewLoadBalancersClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	armInterfacesClient, err := armnetwork.NewInterfacesClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
+	armPrivateEndpoints, err := armnetwork.NewPrivateEndpointsClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	armPublicIPAddressesClient, err := armnetwork.NewPublicIPAddressesClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
+	armFPPrivateEndpoints, err := armnetwork.NewPrivateEndpointsClient(r.SubscriptionID, fpCredRPTenant, &clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	armSecurityGroupsClient, err := armnetwork.NewSecurityGroupsClient(r.SubscriptionID, fpCredClusterTenant, &clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	armRPPrivateLinkServices, err := armnetwork.NewPrivateLinkServicesClient(r.SubscriptionID, msiCredential, &clientOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -198,37 +228,41 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 	}
 
 	return &manager{
-		log:                   log,
-		env:                   _env,
-		db:                    db,
-		dbGateway:             dbGateway,
-		dbOpenShiftVersions:   dbOpenShiftVersions,
-		billing:               billing,
-		doc:                   doc,
-		subscriptionDoc:       subscriptionDoc,
-		fpAuthorizer:          fpAuthorizer,
-		localFpAuthorizer:     localFPAuthorizer,
-		metricsEmitter:        metricsEmitter,
-		disks:                 compute.NewDisksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		virtualMachines:       compute.NewVirtualMachinesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		interfaces:            network.NewInterfacesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armInterfaces:         armInterfacesClient,
-		publicIPAddresses:     network.NewPublicIPAddressesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armPublicIPAddresses:  armPublicIPAddressesClient,
-		loadBalancers:         network.NewLoadBalancersClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armLoadBalancers:      armLoadBalancersClient,
-		privateEndpoints:      network.NewPrivateEndpointsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		securityGroups:        network.NewSecurityGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		deployments:           features.NewDeploymentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		resourceGroups:        features.NewResourceGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		resources:             features.NewResourcesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		privateZones:          privatedns.NewPrivateZonesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		virtualNetworkLinks:   privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		roleAssignments:       authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		roleDefinitions:       authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		denyAssignments:       authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		fpPrivateEndpoints:    network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
-		rpPrivateLinkServices: network.NewPrivateLinkServicesClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer),
+		log:                      log,
+		env:                      _env,
+		db:                       db,
+		dbGateway:                dbGateway,
+		dbOpenShiftVersions:      dbOpenShiftVersions,
+		billing:                  billing,
+		doc:                      doc,
+		subscriptionDoc:          subscriptionDoc,
+		fpAuthorizer:             fpAuthorizer,
+		localFpAuthorizer:        localFPAuthorizer,
+		metricsEmitter:           metricsEmitter,
+		disks:                    compute.NewDisksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		virtualMachines:          compute.NewVirtualMachinesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		interfaces:               network.NewInterfacesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armInterfaces:            armInterfacesClient,
+		publicIPAddresses:        network.NewPublicIPAddressesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armPublicIPAddresses:     armPublicIPAddressesClient,
+		loadBalancers:            network.NewLoadBalancersClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armLoadBalancers:         armLoadBalancersClient,
+		privateEndpoints:         network.NewPrivateEndpointsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armPrivateEndpoints:      armPrivateEndpoints,
+		securityGroups:           network.NewSecurityGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armSecurityGroups:        armSecurityGroupsClient,
+		deployments:              features.NewDeploymentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		resourceGroups:           features.NewResourceGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		resources:                features.NewResourcesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		privateZones:             privatedns.NewPrivateZonesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		virtualNetworkLinks:      privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		roleAssignments:          authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		roleDefinitions:          authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		denyAssignments:          authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		fpPrivateEndpoints:       network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
+		armFPPrivateEndpoints:    armFPPrivateEndpoints,
+		rpPrivateLinkServices:    network.NewPrivateLinkServicesClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer),
+		armRPPrivateLinkServices: armRPPrivateLinkServices,
 
 		dns:     dns.NewManager(_env, localFPAuthorizer),
 		storage: storage,
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/generate.go b/pkg/util/azureclient/azuresdk/armnetwork/generate.go
index af0957fb948..a2029abccb2 100644
--- a/pkg/util/azureclient/azuresdk/armnetwork/generate.go
+++ b/pkg/util/azureclient/azuresdk/armnetwork/generate.go
@@ -4,5 +4,5 @@ package armnetwork
 // Licensed under the Apache License 2.0.
 
 //go:generate rm -rf ../../../../util/mocks/$GOPACKAGE
-//go:generate go run ../../../../../vendor/github.com/golang/mock/mockgen -destination=../../../../util/mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/$GOPACKAGE InterfacesClient,LoadBalancersClient,LoadBalancerBackendAddressPoolsClient,PublicIPAddressesClient
+//go:generate go run ../../../../../vendor/github.com/golang/mock/mockgen -destination=../../../../util/mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/$GOPACKAGE InterfacesClient,LoadBalancersClient,LoadBalancerBackendAddressPoolsClient,PrivateEndpointsClient,PrivateLinkServicesClient,PublicIPAddressesClient,SecurityGroupsClient
 //go:generate go run ../../../../../vendor/golang.org/x/tools/cmd/goimports -local=github.com/Azure/ARO-RP -e -w ../../../../util/mocks/azureclient/azuresdk/$GOPACKAGE/$GOPACKAGE.go
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints.go b/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints.go
new file mode 100644
index 00000000000..4679e91ae49
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints.go
@@ -0,0 +1,32 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
+)
+
+// PrivateEndpointsClient is a minimal interface for azure PrivateEndpointsClient
+type PrivateEndpointsClient interface {
+	Get(ctx context.Context, resourceGroupName string, privateEndpointName string, options *armnetwork.PrivateEndpointsClientGetOptions) (armnetwork.PrivateEndpointsClientGetResponse, error)
+	PrivateEndpointsClientAddons
+}
+
+type privateEndpointsClient struct {
+	*armnetwork.PrivateEndpointsClient
+}
+
+// NewPrivateEndpointsClient creates a new PrivateEndpointsClient
+func NewPrivateEndpointsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (PrivateEndpointsClient, error) {
+	clientFactory, err := armnetwork.NewClientFactory(subscriptionID, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	return &privateEndpointsClient{PrivateEndpointsClient: clientFactory.NewPrivateEndpointsClient()}, nil
+}
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints_addons.go b/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints_addons.go
new file mode 100644
index 00000000000..2c8ff666442
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/privateendpoints_addons.go
@@ -0,0 +1,34 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+)
+
+// PrivateEndpointsClientAddons contains addons for PrivateEndpointsClient
+type PrivateEndpointsClientAddons interface {
+	CreateOrUpdateAndWait(ctx context.Context, resourceGroupName string, privateEndpointName string, parameters armnetwork.PrivateEndpoint, options *armnetwork.PrivateEndpointsClientBeginCreateOrUpdateOptions) error
+	DeleteAndWait(ctx context.Context, resourceGroupName string, publicIPAddressName string, options *armnetwork.PrivateEndpointsClientBeginDeleteOptions) error
+}
+
+func (c *privateEndpointsClient) CreateOrUpdateAndWait(ctx context.Context, resourceGroupName string, privateEndpointName string, parameters armnetwork.PrivateEndpoint, options *armnetwork.PrivateEndpointsClientBeginCreateOrUpdateOptions) error {
+	poller, err := c.PrivateEndpointsClient.BeginCreateOrUpdate(ctx, resourceGroupName, privateEndpointName, parameters, options)
+	if err != nil {
+		return err
+	}
+	_, err = poller.PollUntilDone(ctx, nil)
+	return err
+}
+
+func (c *privateEndpointsClient) DeleteAndWait(ctx context.Context, resourceGroupName string, publicIPAddressName string, options *armnetwork.PrivateEndpointsClientBeginDeleteOptions) error {
+	poller, err := c.PrivateEndpointsClient.BeginDelete(ctx, resourceGroupName, publicIPAddressName, options)
+	if err != nil {
+		return err
+	}
+	_, err = poller.PollUntilDone(ctx, nil)
+	return err
+}
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices.go b/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices.go
new file mode 100644
index 00000000000..40c7a003186
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices.go
@@ -0,0 +1,33 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
+)
+
+// PrivateLinkServicesClient is a minimal interface for azure PrivateLinkServicesClient
+type PrivateLinkServicesClient interface {
+	Get(ctx context.Context, resourceGroupName string, serviceName string, options *armnetwork.PrivateLinkServicesClientGetOptions) (armnetwork.PrivateLinkServicesClientGetResponse, error)
+	UpdatePrivateEndpointConnection(ctx context.Context, resourceGroupName string, serviceName string, peConnectionName string, parameters armnetwork.PrivateEndpointConnection, options *armnetwork.PrivateLinkServicesClientUpdatePrivateEndpointConnectionOptions) (armnetwork.PrivateLinkServicesClientUpdatePrivateEndpointConnectionResponse, error)
+	PrivateLinkServicesClientAddons
+}
+
+type privateLinkServicesClient struct {
+	*armnetwork.PrivateLinkServicesClient
+}
+
+// NewPrivateLinkServicesClient creates a new PrivateLinkServicesClient
+func NewPrivateLinkServicesClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (PrivateLinkServicesClient, error) {
+	clientFactory, err := armnetwork.NewClientFactory(subscriptionID, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	return &privateLinkServicesClient{PrivateLinkServicesClient: clientFactory.NewPrivateLinkServicesClient()}, nil
+}
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices_addons.go b/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices_addons.go
new file mode 100644
index 00000000000..1265713008d
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/privatelinkservices_addons.go
@@ -0,0 +1,38 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+)
+
+// PrivateLinkServicesClientAddons contains addons for PrivateLinkServicesClient
+type PrivateLinkServicesClientAddons interface {
+	List(ctx context.Context, resourceGroupName string, options *armnetwork.PrivateLinkServicesClientListOptions) ([]*armnetwork.PrivateLinkService, error)
+	DeletePrivateEndpointConnectionAndWait(ctx context.Context, resourceGroupName string, serviceName string, peConnectionName string, options *armnetwork.PrivateLinkServicesClientBeginDeletePrivateEndpointConnectionOptions) error
+}
+
+func (c *privateLinkServicesClient) List(ctx context.Context, resourceGroupName string, options *armnetwork.PrivateLinkServicesClientListOptions) (result []*armnetwork.PrivateLinkService, err error) {
+	pager := c.PrivateLinkServicesClient.NewListPager(resourceGroupName, options)
+
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, page.Value...)
+	}
+	return result, nil
+}
+
+func (c *privateLinkServicesClient) DeletePrivateEndpointConnectionAndWait(ctx context.Context, resourceGroupName string, serviceName string, peConnectionName string, options *armnetwork.PrivateLinkServicesClientBeginDeletePrivateEndpointConnectionOptions) error {
+	poller, err := c.PrivateLinkServicesClient.BeginDeletePrivateEndpointConnection(ctx, resourceGroupName, serviceName, peConnectionName, options)
+	if err != nil {
+		return err
+	}
+	_, err = poller.PollUntilDone(ctx, nil)
+	return err
+}
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/securitygroups.go b/pkg/util/azureclient/azuresdk/armnetwork/securitygroups.go
new file mode 100644
index 00000000000..28b6ba2dd3e
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/securitygroups.go
@@ -0,0 +1,32 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
+)
+
+// SecurityGroupsClient is a minimal interface for azure SecurityGroupsClient
+type SecurityGroupsClient interface {
+	Get(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, options *armnetwork.SecurityGroupsClientGetOptions) (armnetwork.SecurityGroupsClientGetResponse, error)
+	SecurityGroupsClientAddons
+}
+
+type securityGroupsClient struct {
+	*armnetwork.SecurityGroupsClient
+}
+
+// NewSecurityGroupsClient creates a new SecurityGroupsClient
+func NewSecurityGroupsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (SecurityGroupsClient, error) {
+	clientFactory, err := armnetwork.NewClientFactory(subscriptionID, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	return &securityGroupsClient{SecurityGroupsClient: clientFactory.NewSecurityGroupsClient()}, nil
+}
diff --git a/pkg/util/azureclient/azuresdk/armnetwork/securitygroups_addons.go b/pkg/util/azureclient/azuresdk/armnetwork/securitygroups_addons.go
new file mode 100644
index 00000000000..ecae2b2d6c8
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armnetwork/securitygroups_addons.go
@@ -0,0 +1,48 @@
+package armnetwork
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+)
+
+// SecurityGroupsClientAddons contains addons for SecurityGroupsClient
+type SecurityGroupsClientAddons interface {
+	CreateOrUpdateAndWait(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, parameters armnetwork.SecurityGroup, options *armnetwork.SecurityGroupsClientBeginCreateOrUpdateOptions) error
+	DeleteAndWait(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, options *armnetwork.SecurityGroupsClientBeginDeleteOptions) error
+	List(ctx context.Context, resourceGroupName string, options *armnetwork.SecurityGroupsClientListOptions) ([]*armnetwork.SecurityGroup, error)
+}
+
+func (c *securityGroupsClient) CreateOrUpdateAndWait(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, parameters armnetwork.SecurityGroup, options *armnetwork.SecurityGroupsClientBeginCreateOrUpdateOptions) error {
+	poller, err := c.SecurityGroupsClient.BeginCreateOrUpdate(ctx, resourceGroupName, networkSecurityGroupName, parameters, options)
+	if err != nil {
+		return err
+	}
+	_, err = poller.PollUntilDone(ctx, nil)
+	return err
+}
+
+func (c *securityGroupsClient) DeleteAndWait(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, options *armnetwork.SecurityGroupsClientBeginDeleteOptions) error {
+	poller, err := c.SecurityGroupsClient.BeginDelete(ctx, resourceGroupName, networkSecurityGroupName, options)
+	if err != nil {
+		return err
+	}
+	_, err = poller.PollUntilDone(ctx, nil)
+	return err
+}
+
+func (c *securityGroupsClient) List(ctx context.Context, resourceGroupName string, options *armnetwork.SecurityGroupsClientListOptions) (result []*armnetwork.SecurityGroup, err error) {
+	pager := c.SecurityGroupsClient.NewListPager(resourceGroupName, options)
+
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, page.Value...)
+	}
+	return result, nil
+}
diff --git a/pkg/util/mocks/azureclient/azuresdk/armnetwork/armnetwork.go b/pkg/util/mocks/azureclient/azuresdk/armnetwork/armnetwork.go
index ab4e7faf643..d74b941d25a 100644
--- a/pkg/util/mocks/azureclient/azuresdk/armnetwork/armnetwork.go
+++ b/pkg/util/mocks/azureclient/azuresdk/armnetwork/armnetwork.go
@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armnetwork (interfaces: InterfacesClient,LoadBalancersClient,LoadBalancerBackendAddressPoolsClient,PublicIPAddressesClient)
+// Source: github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armnetwork (interfaces: InterfacesClient,LoadBalancersClient,LoadBalancerBackendAddressPoolsClient,PrivateEndpointsClient,PrivateLinkServicesClient,PublicIPAddressesClient,SecurityGroupsClient)
 
 // Package mock_armnetwork is a generated GoMock package.
 package mock_armnetwork
@@ -168,6 +168,154 @@ func (mr *MockLoadBalancerBackendAddressPoolsClientMockRecorder) Get(arg0, arg1,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockLoadBalancerBackendAddressPoolsClient)(nil).Get), arg0, arg1, arg2, arg3, arg4)
 }
 
+// MockPrivateEndpointsClient is a mock of PrivateEndpointsClient interface.
+type MockPrivateEndpointsClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockPrivateEndpointsClientMockRecorder
+}
+
+// MockPrivateEndpointsClientMockRecorder is the mock recorder for MockPrivateEndpointsClient.
+type MockPrivateEndpointsClientMockRecorder struct {
+	mock *MockPrivateEndpointsClient
+}
+
+// NewMockPrivateEndpointsClient creates a new mock instance.
+func NewMockPrivateEndpointsClient(ctrl *gomock.Controller) *MockPrivateEndpointsClient {
+	mock := &MockPrivateEndpointsClient{ctrl: ctrl}
+	mock.recorder = &MockPrivateEndpointsClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPrivateEndpointsClient) EXPECT() *MockPrivateEndpointsClientMockRecorder {
+	return m.recorder
+}
+
+// CreateOrUpdateAndWait mocks base method.
+func (m *MockPrivateEndpointsClient) CreateOrUpdateAndWait(arg0 context.Context, arg1, arg2 string, arg3 armnetwork.PrivateEndpoint, arg4 *armnetwork.PrivateEndpointsClientBeginCreateOrUpdateOptions) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateOrUpdateAndWait", arg0, arg1, arg2, arg3, arg4)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// CreateOrUpdateAndWait indicates an expected call of CreateOrUpdateAndWait.
+func (mr *MockPrivateEndpointsClientMockRecorder) CreateOrUpdateAndWait(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrUpdateAndWait", reflect.TypeOf((*MockPrivateEndpointsClient)(nil).CreateOrUpdateAndWait), arg0, arg1, arg2, arg3, arg4)
+}
+
+// DeleteAndWait mocks base method.
+func (m *MockPrivateEndpointsClient) DeleteAndWait(arg0 context.Context, arg1, arg2 string, arg3 *armnetwork.PrivateEndpointsClientBeginDeleteOptions) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAndWait", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAndWait indicates an expected call of DeleteAndWait.
+func (mr *MockPrivateEndpointsClientMockRecorder) DeleteAndWait(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAndWait", reflect.TypeOf((*MockPrivateEndpointsClient)(nil).DeleteAndWait), arg0, arg1, arg2, arg3)
+}
+
+// Get mocks base method.
+func (m *MockPrivateEndpointsClient) Get(arg0 context.Context, arg1, arg2 string, arg3 *armnetwork.PrivateEndpointsClientGetOptions) (armnetwork.PrivateEndpointsClientGetResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Get", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(armnetwork.PrivateEndpointsClientGetResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Get indicates an expected call of Get.
+func (mr *MockPrivateEndpointsClientMockRecorder) Get(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockPrivateEndpointsClient)(nil).Get), arg0, arg1, arg2, arg3)
+}
+
+// MockPrivateLinkServicesClient is a mock of PrivateLinkServicesClient interface.
+type MockPrivateLinkServicesClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockPrivateLinkServicesClientMockRecorder
+}
+
+// MockPrivateLinkServicesClientMockRecorder is the mock recorder for MockPrivateLinkServicesClient.
+type MockPrivateLinkServicesClientMockRecorder struct {
+	mock *MockPrivateLinkServicesClient
+}
+
+// NewMockPrivateLinkServicesClient creates a new mock instance.
+func NewMockPrivateLinkServicesClient(ctrl *gomock.Controller) *MockPrivateLinkServicesClient {
+	mock := &MockPrivateLinkServicesClient{ctrl: ctrl}
+	mock.recorder = &MockPrivateLinkServicesClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPrivateLinkServicesClient) EXPECT() *MockPrivateLinkServicesClientMockRecorder {
+	return m.recorder
+}
+
+// DeletePrivateEndpointConnectionAndWait mocks base method.
+func (m *MockPrivateLinkServicesClient) DeletePrivateEndpointConnectionAndWait(arg0 context.Context, arg1, arg2, arg3 string, arg4 *armnetwork.PrivateLinkServicesClientBeginDeletePrivateEndpointConnectionOptions) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeletePrivateEndpointConnectionAndWait", arg0, arg1, arg2, arg3, arg4)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeletePrivateEndpointConnectionAndWait indicates an expected call of DeletePrivateEndpointConnectionAndWait.
+func (mr *MockPrivateLinkServicesClientMockRecorder) DeletePrivateEndpointConnectionAndWait(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePrivateEndpointConnectionAndWait", reflect.TypeOf((*MockPrivateLinkServicesClient)(nil).DeletePrivateEndpointConnectionAndWait), arg0, arg1, arg2, arg3, arg4)
+}
+
+// Get mocks base method.
+func (m *MockPrivateLinkServicesClient) Get(arg0 context.Context, arg1, arg2 string, arg3 *armnetwork.PrivateLinkServicesClientGetOptions) (armnetwork.PrivateLinkServicesClientGetResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Get", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(armnetwork.PrivateLinkServicesClientGetResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Get indicates an expected call of Get.
+func (mr *MockPrivateLinkServicesClientMockRecorder) Get(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockPrivateLinkServicesClient)(nil).Get), arg0, arg1, arg2, arg3)
+}
+
+// List mocks base method.
+func (m *MockPrivateLinkServicesClient) List(arg0 context.Context, arg1 string, arg2 *armnetwork.PrivateLinkServicesClientListOptions) ([]*armnetwork.PrivateLinkService, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "List", arg0, arg1, arg2)
+	ret0, _ := ret[0].([]*armnetwork.PrivateLinkService)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// List indicates an expected call of List.
+func (mr *MockPrivateLinkServicesClientMockRecorder) List(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockPrivateLinkServicesClient)(nil).List), arg0, arg1, arg2)
+}
+
+// UpdatePrivateEndpointConnection mocks base method.
+func (m *MockPrivateLinkServicesClient) UpdatePrivateEndpointConnection(arg0 context.Context, arg1, arg2, arg3 string, arg4 armnetwork.PrivateEndpointConnection, arg5 *armnetwork.PrivateLinkServicesClientUpdatePrivateEndpointConnectionOptions) (armnetwork.PrivateLinkServicesClientUpdatePrivateEndpointConnectionResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdatePrivateEndpointConnection", arg0, arg1, arg2, arg3, arg4, arg5)
+	ret0, _ := ret[0].(armnetwork.PrivateLinkServicesClientUpdatePrivateEndpointConnectionResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdatePrivateEndpointConnection indicates an expected call of UpdatePrivateEndpointConnection.
+func (mr *MockPrivateLinkServicesClientMockRecorder) UpdatePrivateEndpointConnection(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdatePrivateEndpointConnection", reflect.TypeOf((*MockPrivateLinkServicesClient)(nil).UpdatePrivateEndpointConnection), arg0, arg1, arg2, arg3, arg4, arg5)
+}
+
 // MockPublicIPAddressesClient is a mock of PublicIPAddressesClient interface.
 type MockPublicIPAddressesClient struct {
 	ctrl     *gomock.Controller
@@ -248,3 +396,84 @@ func (mr *MockPublicIPAddressesClientMockRecorder) List(arg0, arg1, arg2 interfa
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockPublicIPAddressesClient)(nil).List), arg0, arg1, arg2)
 }
+
+// MockSecurityGroupsClient is a mock of SecurityGroupsClient interface.
+type MockSecurityGroupsClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockSecurityGroupsClientMockRecorder
+}
+
+// MockSecurityGroupsClientMockRecorder is the mock recorder for MockSecurityGroupsClient.
+type MockSecurityGroupsClientMockRecorder struct {
+	mock *MockSecurityGroupsClient
+}
+
+// NewMockSecurityGroupsClient creates a new mock instance.
+func NewMockSecurityGroupsClient(ctrl *gomock.Controller) *MockSecurityGroupsClient {
+	mock := &MockSecurityGroupsClient{ctrl: ctrl}
+	mock.recorder = &MockSecurityGroupsClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockSecurityGroupsClient) EXPECT() *MockSecurityGroupsClientMockRecorder {
+	return m.recorder
+}
+
+// CreateOrUpdateAndWait mocks base method.
+func (m *MockSecurityGroupsClient) CreateOrUpdateAndWait(arg0 context.Context, arg1, arg2 string, arg3 armnetwork.SecurityGroup, arg4 *armnetwork.SecurityGroupsClientBeginCreateOrUpdateOptions) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateOrUpdateAndWait", arg0, arg1, arg2, arg3, arg4)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// CreateOrUpdateAndWait indicates an expected call of CreateOrUpdateAndWait.
+func (mr *MockSecurityGroupsClientMockRecorder) CreateOrUpdateAndWait(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrUpdateAndWait", reflect.TypeOf((*MockSecurityGroupsClient)(nil).CreateOrUpdateAndWait), arg0, arg1, arg2, arg3, arg4)
+}
+
+// DeleteAndWait mocks base method.
+func (m *MockSecurityGroupsClient) DeleteAndWait(arg0 context.Context, arg1, arg2 string, arg3 *armnetwork.SecurityGroupsClientBeginDeleteOptions) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAndWait", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAndWait indicates an expected call of DeleteAndWait.
+func (mr *MockSecurityGroupsClientMockRecorder) DeleteAndWait(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAndWait", reflect.TypeOf((*MockSecurityGroupsClient)(nil).DeleteAndWait), arg0, arg1, arg2, arg3)
+}
+
+// Get mocks base method.
+func (m *MockSecurityGroupsClient) Get(arg0 context.Context, arg1, arg2 string, arg3 *armnetwork.SecurityGroupsClientGetOptions) (armnetwork.SecurityGroupsClientGetResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Get", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(armnetwork.SecurityGroupsClientGetResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Get indicates an expected call of Get.
+func (mr *MockSecurityGroupsClientMockRecorder) Get(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockSecurityGroupsClient)(nil).Get), arg0, arg1, arg2, arg3)
+}
+
+// List mocks base method.
+func (m *MockSecurityGroupsClient) List(arg0 context.Context, arg1 string, arg2 *armnetwork.SecurityGroupsClientListOptions) ([]*armnetwork.SecurityGroup, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "List", arg0, arg1, arg2)
+	ret0, _ := ret[0].([]*armnetwork.SecurityGroup)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// List indicates an expected call of List.
+func (mr *MockSecurityGroupsClientMockRecorder) List(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockSecurityGroupsClient)(nil).List), arg0, arg1, arg2)
+}