Microsoft.Network privateEndpoints 2020-06-01

The privateEndpoints resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/privateEndpoints resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/privateEndpoints@2020-06-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    customDnsConfigs: [
      {
        fqdn: 'string'
        ipAddresses: [ 'string' ]
      }
    ]
    manualPrivateLinkServiceConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          groupIds: [ 'string' ]
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
          privateLinkServiceId: 'string'
          requestMessage: 'string'
        }
      }
    ]
    privateLinkServiceConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          groupIds: [ 'string' ]
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
          privateLinkServiceId: 'string'
          requestMessage: 'string'
        }
      }
    ]
    subnet: {
      id: 'string'
      name: 'string'
      properties: {
        addressPrefix: 'string'
        addressPrefixes: [ 'string' ]
        delegations: [
          {
            id: 'string'
            name: 'string'
            properties: {
              serviceName: 'string'
            }
          }
        ]
        ipAllocations: [
          {
            id: 'string'
          }
        ]
        natGateway: {
          id: 'string'
        }
        networkSecurityGroup: {
          id: 'string'
          location: 'string'
          properties: {
            securityRules: [
              {
                id: 'string'
                name: 'string'
                properties: {
                  access: 'string'
                  description: 'string'
                  destinationAddressPrefix: 'string'
                  destinationAddressPrefixes: [ 'string' ]
                  destinationApplicationSecurityGroups: [
                    {
                      id: 'string'
                      location: 'string'
                      properties: {}
                      tags: {
                        tagName1: 'tagValue1'
                        tagName2: 'tagValue2'
                      }
                    }
                  ]
                  destinationPortRange: 'string'
                  destinationPortRanges: [ 'string' ]
                  direction: 'string'
                  priority: int
                  protocol: 'string'
                  sourceAddressPrefix: 'string'
                  sourceAddressPrefixes: [ 'string' ]
                  sourceApplicationSecurityGroups: [
                    {
                      id: 'string'
                      location: 'string'
                      properties: {}
                      tags: {
                        tagName1: 'tagValue1'
                        tagName2: 'tagValue2'
                      }
                    }
                  ]
                  sourcePortRange: 'string'
                  sourcePortRanges: [ 'string' ]
                }
              }
            ]
          }
          tags: {
            tagName1: 'tagValue1'
            tagName2: 'tagValue2'
          }
        }
        privateEndpointNetworkPolicies: 'string'
        privateLinkServiceNetworkPolicies: 'string'
        routeTable: {
          id: 'string'
          location: 'string'
          properties: {
            disableBgpRoutePropagation: bool
            routes: [
              {
                id: 'string'
                name: 'string'
                properties: {
                  addressPrefix: 'string'
                  nextHopIpAddress: 'string'
                  nextHopType: 'string'
                }
              }
            ]
          }
          tags: {
            tagName1: 'tagValue1'
            tagName2: 'tagValue2'
          }
        }
        serviceEndpointPolicies: [
          {
            id: 'string'
            location: 'string'
            properties: {
              serviceEndpointPolicyDefinitions: [
                {
                  id: 'string'
                  name: 'string'
                  properties: {
                    description: 'string'
                    service: 'string'
                    serviceResources: [ 'string' ]
                  }
                }
              ]
            }
            tags: {
              tagName1: 'tagValue1'
              tagName2: 'tagValue2'
            }
          }
        ]
        serviceEndpoints: [
          {
            locations: [ 'string' ]
            service: 'string'
          }
        ]
      }
    }
  }
}

Property values

privateEndpoints

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/privateEndpoints'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-06-01'
name The resource name string (required)
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Properties of the private endpoint. PrivateEndpointProperties

PrivateEndpointProperties

Name Description Value
customDnsConfigs An array of custom dns configurations. CustomDnsConfigPropertiesFormat[]
manualPrivateLinkServiceConnections A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. PrivateLinkServiceConnection[]
privateLinkServiceConnections A grouping of information about the connection to the remote resource. PrivateLinkServiceConnection[]
subnet Subnet in a virtual network resource. Subnet

CustomDnsConfigPropertiesFormat

Name Description Value
fqdn Fqdn that resolves to private endpoint ip address. string
ipAddresses A list of private ip addresses of the private endpoint. string[]

PrivateLinkServiceConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the PrivateLinkServiceConnection. PrivateLinkServiceConnectionProperties

PrivateLinkServiceConnectionProperties

Name Description Value
groupIds The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. string[]
privateLinkServiceConnectionState A collection of information about the state of the connection between service consumer and provider. PrivateLinkServiceConnectionState
privateLinkServiceId The resource id of private link service. string
requestMessage A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. string

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. string

Subnet

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the subnet. SubnetPropertiesFormat

SubnetPropertiesFormat

Name Description Value
addressPrefix The address prefix for the subnet. string
addressPrefixes List of address prefixes for the subnet. string[]
delegations An array of references to the delegations on the subnet. Delegation[]
ipAllocations Array of IpAllocation which reference this subnet. SubResource[]
natGateway Reference to another subresource. SubResource
networkSecurityGroup NetworkSecurityGroup resource. NetworkSecurityGroup
privateEndpointNetworkPolicies Enable or Disable apply network policies on private end point in the subnet. string
privateLinkServiceNetworkPolicies Enable or Disable apply network policies on private link service in the subnet. string
routeTable Route table resource. RouteTable
serviceEndpointPolicies An array of service endpoint policies. ServiceEndpointPolicy[]
serviceEndpoints An array of service endpoints. ServiceEndpointPropertiesFormat[]

Delegation

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a subnet. This name can be used to access the resource. string
properties Properties of a service delegation. ServiceDelegationPropertiesFormat

ServiceDelegationPropertiesFormat

Name Description Value
serviceName The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). string

SubResource

Name Description Value
id Resource ID. string

NetworkSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Network Security Group resource. NetworkSecurityGroupPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

NetworkSecurityGroupPropertiesFormat

Name Description Value
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Security rule resource. SecurityRulePropertiesFormat

SecurityRulePropertiesFormat

Name Description Value
access Whether network traffic is allowed or denied. 'Allow'
'Deny'
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound'
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp'
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Application security group properties. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

RouteTable

Name Description Value
id Resource ID. string
location Resource location. string
properties Route Table resource. RouteTablePropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

RouteTablePropertiesFormat

Name Description Value
disableBgpRoutePropagation Whether to disable the routes learned by BGP on that route table. True means disable. bool
routes Collection of routes contained within a route table. Route[]

Route

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Route resource. RoutePropertiesFormat

RoutePropertiesFormat

Name Description Value
addressPrefix The destination CIDR to which the route applies. string
nextHopIpAddress The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. string
nextHopType The type of Azure hop the packet should be sent to. 'Internet'
'None'
'VirtualAppliance'
'VirtualNetworkGateway'
'VnetLocal'

ServiceEndpointPolicy

Name Description Value
id Resource ID. string
location Resource location. string
properties Service Endpoint Policy resource. ServiceEndpointPolicyPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

ServiceEndpointPolicyPropertiesFormat

Name Description Value
serviceEndpointPolicyDefinitions A collection of service endpoint policy definitions of the service endpoint policy. ServiceEndpointPolicyDefinition[]

ServiceEndpointPolicyDefinition

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Service Endpoint policy definition resource. ServiceEndpointPolicyDefinitionPropertiesFormat

ServiceEndpointPolicyDefinitionPropertiesFormat

Name Description Value
description A description for this rule. Restricted to 140 chars. string
service Service endpoint name. string
serviceResources A list of service resources. string[]

ServiceEndpointPropertiesFormat

Name Description Value
locations A list of locations. string[]
service The type of the endpoint service. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
min.io Azure Gateway

Deploy to Azure
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
SAS 9.4 with SAS Visual Analytics and SAS Visual Statistics

Deploy to Azure
The SAS 9.4 Quickstart Template for Azure with SAS Visual Analytics and SAS Visual Statistics deploys these products on the cloud: SAS Visual Analytics 7.51 and SAS Visual Statistics 7.51. This Quickstart is a reference architecture only. It is not intended for production use. Specifically, the Quickstart provides an example of how a SAS Visual Analytics in SAS 9.4 workload and a SAS Visual Statistics in SAS 9.4 workload running in a massively parallel processing (MPP) environment with SAS LASR Analytiic Server can be run on Azure.
Azure Cloud Shell - VNet

Deploy to Azure
This template deploys Azure Cloud Shell resources into an Azure virtual network.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
WebApp consuming a Azure SQL Private Endpoint

Deploy to Azure
This template shows how to create a Web app that consumes a private endpoint pointing to Azure SQL Server
Create an Azure Cosmos DB Account with a private endpoint

Deploy to Azure
This template will create a Cosmos account, a virtual network and a private endpoint exposing the Cosmos account to the virtual network.
Connect to a Event Hubs namespace via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access a Event Hubs namespace via a private endpoint.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Private Link service example

Deploy to Azure
This template shows how to create a private link service
Connect to a Service Bus namespace via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint.
Private Endpoint example

Deploy to Azure
This template shows how to create a private endpoint pointing to Azure SQL Server
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Create Function App and private endpoint-secured Storage

Deploy to Azure
This template allows you to deploy an Azure Function App that communicates with Azure Storage over private endpoints.
Web App with Private Endpoint

Deploy to Azure
This template allows you to create a Web App and expose it through Private Endpoint
Web App with VNet Injection and Private Endpoint.

Deploy to Azure
This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint
SAS 9.4 with SAS Visual Analytics and SAS Visual Statistics

Deploy to Azure
The SAS 9.4 Quickstart Template for Azure with SAS Visual Analytics and SAS Visual Statistics deploys these products on the cloud: SAS Visual Analytics 7.51 and SAS Visual Statistics 7.51. This Quickstart is a reference architecture only. It is not intended for production use. Specifically, the Quickstart provides an example of how a SAS Visual Analytics in SAS 9.4 workload and a SAS Visual Statistics in SAS 9.4 workload running in a massively parallel processing (MPP) environment with SAS LASR Analytiic Server can be run on Azure.