Create an App Service app and deploy Private Endpoint using Azure CLI

This sample script creates an app in App Service with its related resources, and then deploys a Private Endpoint.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

• Use the Bash environment in Azure Cloud Shell. For more information, see Azure Cloud Shell Quickstart - Bash.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you are running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For additional sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install Azure CLI extensions on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This tutorial requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

Create a resource group

Before you can create any resource, you have to create a resource group to host the Web App, the Virtual Network, and other network components. Create a resource group with az group create. This example creates a resource group named myResourceGroup in the francecentral location:

az group create --name myResourceGroup --location francecentral 

Create an App Service Plan

You need to create an App Service Plan to host your Web App. Create an App Service Plan with az appservice plan create. This example creates App Service Plan named myAppServicePlan in the francecentral location with P1V2 sku and only one worker:

az appservice plan create \
--name myAppServicePlan \
--resource-group myResourceGroup \
--location francecentral \
--sku P1V2 \
--number-of-workers 1

Create a Web App

Now that you have an App Service Plan you can deploy a Web App. Create a Web App with az webapp create. This example creates a Web App named mySiteName in the Plan named myAppServicePlan

az webapp create \
--name mySiteName \
--resource-group myResourceGroup \
--plan myAppServicePlan

Create a VNet

Create a Virtual Network with az network vnet create. This example creates a default Virtual Network named myVNet with one subnet named mySubnet:

az network vnet create \
--name myVNet \
--resource-group myResourceGroup \
--location francecentral \
--address-prefixes 10.8.0.0/16 \
--subnet-name mySubnet \
--subnet-prefixes 10.8.100.0/24

Configure the Subnet

You need to update the subnet to disable private endpoint network policies. Update a subnet configuration named mySubnet with az network vnet subnet update:

az network vnet subnet update \
--name mySubnet \
--resource-group myResourceGroup \
--vnet-name myVNet \
--disable-private-endpoint-network-policies true

Create the Private Endpoint

Create the Private Endpoint for your Web App with az network private-endpoint create. This example creates a Private Endpoint named myPrivateEndpoint in the VNet myVNet in the Subnet mySubnet with a connection named myConnectionName to the resource ID of my Web App /subscriptions/SubscriptionID/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp, the group parameter is sites for Web App type.

az network private-endpoint create \
--name myPrivateEndpoint \
--resource-group myResourceGroup \
--vnet-name myVNet \
--subnet mySubnet \
--connection-name myConnectionName \
--private-connection-resource-id /subscriptions/SubscriptionID/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp \
--group-id sites

Configure the private zone

At the end, you need to create a private DNS zone named privatelink.azurewebsites.net linked to the VNet to resolve DNS name of the Web App.

az network private-dns zone create \
--name privatelink.azurewebsites.net \
--resource-group myResourceGroup

az network private-dns link vnet create \
--name myDNSLink \
--resource-group myResourceGroup \
--registration-enabled false \
--virtual-network myVNet \
--zone-name privatelink.azurewebsites.net

az network private-endpoint dns-zone-group create \
--name myZoneGroup \
--resource-group myResourceGroup \
--endpoint-name myPrivateEndpoint \
--private-dns-zone privatelink.azurewebsites.net \
--zone-name privatelink.azurewebsites.net

Clean up deployment

After the sample script has been run, the following command can be used to remove the resource group and all resources associated with it.

az group delete --name myResourceGroup

Next steps

• For more information on the Azure CLI, see Azure CLI documentation.
• Additional App Service CLI script samples can be found in the Azure App Service documentation.