Microsoft.Network privateEndpoints

Template format

To create a Microsoft.Network/privateEndpoints resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2020-06-01",
  "location": "string",
  "tags": {},
  "properties": {
    "subnet": {
      "id": "string",
      "name": "string"
    },
    "privateLinkServiceConnections": [
      {
        "id": "string",
        "properties": {
          "privateLinkServiceId": "string",
          "groupIds": [
            "string"
          ],
          "requestMessage": "string",
          "privateLinkServiceConnectionState": {
            "status": "string",
            "description": "string",
            "actionsRequired": "string"
          }
        },
        "name": "string"
      }
    ],
    "manualPrivateLinkServiceConnections": [
      {
        "id": "string",
        "properties": {
          "privateLinkServiceId": "string",
          "groupIds": [
            "string"
          ],
          "requestMessage": "string",
          "privateLinkServiceConnectionState": {
            "status": "string",
            "description": "string",
            "actionsRequired": "string"
          }
        },
        "name": "string"
      }
    ],
    "customDnsConfigs": [
      {
        "fqdn": "string",
        "ipAddresses": [
          "string"
        ]
      }
    ]
  },
  "resources": []
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/privateEndpoints object

Name Type Required Value
name string Yes The name of the private endpoint.
type enum Yes Microsoft.Network/privateEndpoints
apiVersion enum Yes 2020-06-01
location string Yes Resource location.
tags object No Resource tags.
properties object Yes Properties of the private endpoint. - PrivateEndpointProperties object
resources array No privateDnsZoneGroups

PrivateEndpointProperties object

Name Type Required Value
subnet object No The ID of the subnet from which the private IP will be allocated. - Subnet object
privateLinkServiceConnections array No A grouping of information about the connection to the remote resource. - PrivateLinkServiceConnection object
manualPrivateLinkServiceConnections array No A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. - PrivateLinkServiceConnection object
customDnsConfigs array No An array of custom dns configurations. - CustomDnsConfigPropertiesFormat object

Subnet object

Name Type Required Value
id string No Resource ID.
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

PrivateLinkServiceConnection object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the private link service connection. - PrivateLinkServiceConnectionProperties object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

CustomDnsConfigPropertiesFormat object

Name Type Required Value
fqdn string No Fqdn that resolves to private endpoint ip address.
ipAddresses array No A list of private ip addresses of the private endpoint. - string

SubnetPropertiesFormat object

Name Type Required Value
addressPrefix string No The address prefix for the subnet.
addressPrefixes array No List of address prefixes for the subnet. - string
networkSecurityGroup object No The reference to the NetworkSecurityGroup resource. - NetworkSecurityGroup object
routeTable object No The reference to the RouteTable resource. - RouteTable object
natGateway object No Nat gateway associated with this subnet. - SubResource object
serviceEndpoints array No An array of service endpoints. - ServiceEndpointPropertiesFormat object
serviceEndpointPolicies array No An array of service endpoint policies. - ServiceEndpointPolicy object
ipAllocations array No Array of IpAllocation which reference this subnet. - SubResource object
delegations array No An array of references to the delegations on the subnet. - Delegation object
privateEndpointNetworkPolicies string No Enable or Disable apply network policies on private end point in the subnet.
privateLinkServiceNetworkPolicies string No Enable or Disable apply network policies on private link service in the subnet.

PrivateLinkServiceConnectionProperties object

Name Type Required Value
privateLinkServiceId string No The resource id of private link service.
groupIds array No The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. - string
requestMessage string No A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.
privateLinkServiceConnectionState object No A collection of read-only information about the state of the connection to the remote resource. - PrivateLinkServiceConnectionState object

NetworkSecurityGroup object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the network security group. - NetworkSecurityGroupPropertiesFormat object

RouteTable object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the route table. - RouteTablePropertiesFormat object

SubResource object

Name Type Required Value
id string No Resource ID.

ServiceEndpointPropertiesFormat object

Name Type Required Value
service string No The type of the endpoint service.
locations array No A list of locations. - string

ServiceEndpointPolicy object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the service end point policy. - ServiceEndpointPolicyPropertiesFormat object

Delegation object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the subnet. - ServiceDelegationPropertiesFormat object
name string No The name of the resource that is unique within a subnet. This name can be used to access the resource.

PrivateLinkServiceConnectionState object

Name Type Required Value
status string No Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service.
description string No The reason for approval/rejection of the connection.
actionsRequired string No A message indicating if changes on the service provider require any updates on the consumer.

NetworkSecurityGroupPropertiesFormat object

Name Type Required Value
securityRules array No A collection of security rules of the network security group. - SecurityRule object

RouteTablePropertiesFormat object

Name Type Required Value
routes array No Collection of routes contained within a route table. - Route object
disableBgpRoutePropagation boolean No Whether to disable the routes learned by BGP on that route table. True means disable.

ServiceEndpointPolicyPropertiesFormat object

Name Type Required Value
serviceEndpointPolicyDefinitions array No A collection of service endpoint policy definitions of the service endpoint policy. - ServiceEndpointPolicyDefinition object

ServiceDelegationPropertiesFormat object

Name Type Required Value
serviceName string No The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers).

SecurityRule object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the security rule. - SecurityRulePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

Route object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the route. - RoutePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

ServiceEndpointPolicyDefinition object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the service endpoint policy definition. - ServiceEndpointPolicyDefinitionPropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

SecurityRulePropertiesFormat object

Name Type Required Value
description string No A description for this rule. Restricted to 140 chars.
protocol enum Yes Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *, Ah
sourcePortRange string No The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
destinationPortRange string No The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
sourceAddressPrefix string No The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.
sourceAddressPrefixes array No The CIDR or source IP ranges. - string
sourceApplicationSecurityGroups array No The application security group specified as source. - ApplicationSecurityGroup object
destinationAddressPrefix string No The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.
destinationAddressPrefixes array No The destination address prefixes. CIDR or destination IP ranges. - string
destinationApplicationSecurityGroups array No The application security group specified as destination. - ApplicationSecurityGroup object
sourcePortRanges array No The source port ranges. - string
destinationPortRanges array No The destination port ranges. - string
access enum Yes The network traffic is allowed or denied. - Allow or Deny
priority integer No The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
direction enum Yes The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound

RoutePropertiesFormat object

Name Type Required Value
addressPrefix string No The destination CIDR to which the route applies.
nextHopType enum Yes The type of Azure hop the packet should be sent to. - VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance, None
nextHopIpAddress string No The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance.

ServiceEndpointPolicyDefinitionPropertiesFormat object

Name Type Required Value
description string No A description for this rule. Restricted to 140 chars.
service string No Service endpoint name.
serviceResources array No A list of service resources. - string

ApplicationSecurityGroup object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the application security group. - ApplicationSecurityGroupPropertiesFormat object

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Azure Cloud Shell - VNet

Deploy to Azure
This template deploys Azure Cloud Shell resources into an Azure virtual network.
Create an Azure Cosmos DB Account with a private endpoint

Deploy to Azure
This template will create a Cosmos account, a virtual network and a private endpoint exposing the Cosmos account to the virtual network.
Private Endpoint example

Deploy to Azure
This template shows how to create a private endpoint pointing to Azure SQL Server
Web App with Private Endpoint

Deploy to Azure
This template allows you to create a Web App and expose it through Private Endpoint
Private Link service example

Deploy to Azure
This template shows how to create a private link service
Web App with VNet Injection and Private Endpoint.

Deploy to Azure
This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to a Event Hubs namespace via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access a Event Hubs namespace via a private endpoint.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
WebApp consuming a Azure SQL Private Endpoint

Deploy to Azure
This template shows how to create a Web app that consumes a private endpoint pointing to Azure SQL Server
Connect to a Service Bus namespace via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint.