Create a Media Services and Storage account with a Private Link using an ARM template
Looking for Media Services v2 documentation?
Having trouble? See the Troubleshooting guide for solutions to issues with using Media Services.
Code samples can be found on the Samples page.
Create a Media Services account and Storage Account with Private Links to a VNet. The Azure Resource Manager (ARM) template also sets up DNS for both the Private Links. Finally the template creates a VM to allow the user to try out the Private Links.
Prerequisites
Read Quickstart: Create and deploy ARM templates by using the Azure portal.
Limitations
- For Media Services, the template only sets up Private Link for Key Delivery.
- A network security group isn't created for the VM.
- Network access control isn't configured for the Storage Account or Key Delivery.
The template creates:
- A Media Services account and a Storage Account (as normal)
- A VNet with a subnet
- For both the Media Services account and the Storage Account:
- Private Endpoints
- Private DNS Zones
- Links between links (to connect the private DNS zones to the VNet)
- Private DNS zone groups (to trigger the automatic creation of DNS records in the private DNS zones)
- A VM (with associated public IP address and network interface)
Azure Policy definitions for Private Links
Azure Media Services supports several built-in use case based Azure Policy definitions.
The following policy definitions are available for use with Private Links:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Media Services accounts should use an API that supports Private Link | Media Services accounts should be created with an API that supports private link. | Audit, Deny, Disabled | 1.0.0 |
| Azure Media Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | AuditIfNotExists, Disabled | 1.0.0 |
| Configure Azure Media Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Media Services with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | DeployIfNotExists, Disabled | 1.0.0 |
Refer to Azure Policy for Media Services for a complete list of all built-in policy definitions and use cases.
For details on how to deploy and use Azure Policy definitions see the article "What is Azure Policy?"
Azure Resource Manager (ARM) template for private link
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string"
},
"vmAdminUsername": {
"type": "string"
},
"vmAdminPassword": {
"type": "secureString"
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_D2_v3"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"storageAccountName": {
"type": "string"
},
"mediaServicesAccountName": {
"type": "string"
}
},
"functions": [],
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
},
{
"type": "Microsoft.Media/mediaservices",
"apiVersion": "2020-05-01",
"name": "[parameters('mediaServicesAccountName')]",
"location": "[parameters('location')]",
"properties": {
"storageAccounts": [
{
"type": "Primary",
"id": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
}
]
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
]
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-08-01",
"name": "myVnet",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "mySubnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"privateEndpointNetworkPolicies": "Disabled"
}
}
]
}
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-08-01",
"name": "storagePrivateEndpoint",
"location": "[parameters('location')]",
"properties": {
"subnet": {
"id": "[reference(resourceId('Microsoft.Network/virtualNetworks', 'myVnet')).subnets[0].id]"
},
"privateLinkServiceConnections": [
{
"name": "storagePrivateEndpointConnection",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"groupIds": [
"blob"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
]
},
{
"type": "Microsoft.Network/privateDnsZones",
"apiVersion": "2020-06-01",
"name": "privatelink.blob.core.windows.net",
"location": "global"
},
{
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2020-06-01",
"name": "[format('{0}/storageDnsZoneLink', 'privatelink.blob.core.windows.net')]",
"location": "global",
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.blob.core.windows.net')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
]
},
{
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-08-01",
"name": "[format('{0}/storagePrivateDnsZoneGroup', 'storagePrivateEndpoint')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "config1",
"properties": {
"privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.blob.core.windows.net')]"
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.blob.core.windows.net')]",
"[resourceId('Microsoft.Network/privateEndpoints', 'storagePrivateEndpoint')]"
]
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-08-01",
"name": "mediaServicesPrivateEndpoint",
"location": "[parameters('location')]",
"properties": {
"subnet": {
"id": "[reference(resourceId('Microsoft.Network/virtualNetworks', 'myVnet')).subnets[0].id]"
},
"privateLinkServiceConnections": [
{
"name": "mediaServicesPrivateEndpointConnection",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Media/mediaservices', parameters('mediaServicesAccountName'))]",
"groupIds": [
"keydelivery"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Media/mediaservices', parameters('mediaServicesAccountName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
]
},
{
"type": "Microsoft.Network/privateDnsZones",
"apiVersion": "2020-06-01",
"name": "privatelink.media.azure.net",
"location": "global"
},
{
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2020-06-01",
"name": "[format('{0}/mediaServicesDnsZoneLink', 'privatelink.media.azure.net')]",
"location": "global",
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.media.azure.net')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
]
},
{
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-08-01",
"name": "[format('{0}/mediaServicesPrivateDnsZoneGroup', 'mediaServicesPrivateEndpoint')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "config1",
"properties": {
"privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.media.azure.net')]"
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.media.azure.net')]",
"[resourceId('Microsoft.Network/privateEndpoints', 'mediaServicesPrivateEndpoint')]"
]
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-08-01",
"name": "publicIp",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic",
"dnsSettings": {
"domainNameLabel": "[toLower(parameters('vmName'))]"
}
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-08-01",
"name": "vmNetworkInterface",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipConfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'publicIp')]"
},
"subnet": {
"id": "[reference(resourceId('Microsoft.Network/virtualNetworks', 'myVnet')).subnets[0].id]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', 'publicIp')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'myVnet')]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-12-01",
"name": "myVM",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "[parameters('vmAdminUsername')]",
"adminPassword": "[parameters('vmAdminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"name": "osDisk",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "Standard_LRS"
},
"diskSizeGB": 128
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'vmNetworkInterface')]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'vmNetworkInterface')]"
]
}
],
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.3.126.58533",
"templateHash": "2006367938138350540"
}
}
}